Magecart Skimming Attack Targets Hotel Booking Websites

On September 18, 2019, Trend Micro reported that they discovered a series of incidents where the credit card skimming attack Magecart was used to hit the booking websites of chain-brand hotels.  In their renowned Security Intelligence Blog they stated, “In early September, we found two hotel websites (from different hotel chains) that were being injected with a JavaScript code to load a remote script on their payment page since August 9. When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones. The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.”

While not a large number of users were compromised, the attack is considered significant due to the global footprint of the affected hotel brands.  Trend Micro said, “affected hotel websites were developed by Roomleader, a company from Spain that helps hotels build their online booking websites. The malicious code wasn’t injected directly into the website but rather into the script of Roomleader’s module called “viewedHotels” that was provided to its clients and subsequently used for two websites of two different hotel chains.”

Roger Grimes, Data-Driven Defense Evangelist, KnowBe4 suggests that a lack of vigilance on the part of website owners is a primary enabler of this type of attack for which there are known effective notification and mitigation strategies.  He said, “This is a combination of two major attack types: credit card skimming malware and a “supply chain” attack.

Credit card skimming malware being injected at legitimate customer sites has been an ongoing problem for many years and seems likely not to abate anytime soon. Attacking supply chains, which provide code and other services to larger services and sites has also been a problem for years, but seems to be growing at an exponential pace just the last year or two.

The fix for both is for the customer and the supplier to not only implement better cybersecurity controls to prevent things like this from happening in the first place but also to monitor their sites and services, looking for unauthorized changes and signs of maliciousness.

Sadly, most companies really have no idea what is running on their websites. On most mature websites, there are 30 to 80 different “foreign” pieces of code coming in from all sorts of provided suppliers…each providing either some sort of customer service, ad placement, or customer metric collection. Most companies really don’t understand what is running on their websites at any one time, after losing track of what was really running on them many years ago. As long as the customers aren’t complaining, they don’t think they have a problem.

There are companies and services, which any website or service can buy, that will not only monitor what is going on within any particular website but proactively look for signs of maliciousness and notify website owners when something is amiss. Website and service owners don’t have to be surprised by things like this. They can proactively fight it. They just have to care enough to put the right controls in place.”

Trend Micro concluded, “Recent incidents involving credit card skimmers like Magecart emphasize the need for businesses to secure their websites from potential compromise by implementing security best practices, which include regularly updating software to the latest versions and segregating networks to ensure that as little customer data as possible is exposed.

Furthermore, users can consider using payment systems such as Apple Pay and Google Pay, which offer additional authentication methods — minimizing the chance that attackers will be able to use the credit card even if they manage to collect the card’s details.”