Magecart skimming attacks shift focus to target mobile users of hotel chain booking websites

• The hotel chains in question are spread across 14 countries, with one having 107 hotels and the other having 73 hotels.
• Websites of the two hotel chains were found to be injected with a JavaScript code since August 9, 2019.

A series of incidents involving the Magecart card-skimming attack has been noticed recently. The cyber crooks are now targeting mobile users of two hotel chain websites to steal payment card details along with other sensitive information. The hotel chains in question are spread across 14 countries, with one having 107 hotels and the other having 73 hotels.

What is the issue?

As per Trend Micro researchers, websites of two hotel chains were found to be injected with a JavaScript code since August 9, 2019. This code appeared to be different for Android and iOS phones and was designed to steal the information on the hotel booking page of the websites.

How was the attack executed?

Trend Micro noted that the affected hotel websites were developed by a Spain-based company named Roomleader. It helps hotels build their online booking websites.

• The attackers exploited Roomleader’s module called ‘viewedHotels’ to inject the malicious code into the websites.
• Once injected, the code checks the webpage to find whether it includes the ID ‘customerBookingForm’.

“The injected code first checks if an HTML element containing the ID ‘customerBookingForm’ is present on the webpage to make sure it is running on the hotel’s booking page. If the injected code is found to not be running on the page, it will go to sleep for one second and check repeatedly thereafter,” explained researchers.

What is the purpose of the skimmer?

The credit card skimmer is designed to steal data from payment forms. However, in this case, the gathered information includes:

• Names;
• Email addresses;
• Telephone numbers;
• Hotel room preferences and;
• Credit card details.

The stolen data are then sent via HTTP POST to the remote URL “https[:]//googletrackmanager[.]com/gtm.php?id=”. Upon receipt of the information, the attacker then decrypts the data and collects the credit card information.

An interesting aspect of the attack

Although this skimmer attack process is not unique, it is found that the original credit card forms on the booking page were replaced with a fake one. To make it appear legitimate, the attackers had also prepared the forms in eight languages that are supported by the targeted hotel websites. The languages were English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch.

It is unclear if Magecart groups are involved in the attacks. However, researchers believe that the threat actors behind this campaign were also involved in previous campaigns.