A Magecart card-skimming campaign this month sabotaged the mobile websites of two hotel chains by executing a supply chain attack on a third-party partner, researchers have reported.
The third party in both instances was Roomleader, a Barcelona-based provider of digital marketing and web development services. One of the ways Roomleader helps hospitality companies build out their online booking functionality is through a library module called "viewedHotels," which saves viewed hotel information in visitors' browser cookies.
Both of the affected hotel chains implemented this module, which the adversaries had infected with malicious JavaScript after first compromising Roomleader, according to Trend Micro, whose researchers discovered the attacks and disclosed them in a company blog post today. The lodging chains were not named, but one has 107 hotels in 14 countries and the other has 73 hotels in 14 countries.
As is typical with Magecart attacks, the skimmer was designed to steal data from payment forms, including credit card details, names, email addresses, telephone numbers and hotel room preferences. This information is doubly encrypted and exfiltrated to the attackers, who can then decrypt and view it.
Although the skimmer code is capable of swiping data from both PC and mobile browsers, the Magecart actors specifically programmed the malware to only deliver the skimmer to mobile users. Desktop users, on the other hand, received normal JavaScript copied from a GitHub, "likely because the threat actor behind it wants to avoid detection from PC-based security software," explained Trend Micro fraud researcher Joseph Chen in the blog post.
Interestingly, the skimmer was also programmed to replace mobile websites' normal payment forms with a slightly different version created by the attackers. The attackers even went as far as to translate the fraudulent forms into eight different languages, to match the various languages supported by the targeted hotel websites.
Trend Micro offered a reason for this: Certain hotel booking forms don't ask for Card Verification Code (CVC) numbers in advance because the customer can simply pay upon arriving at the hotel. This doesn't help the attackers, so they created a replacement form that asks for these security numbers.
There is also a second possible motive: "...Sometimes, the booking page will host the credit card form in a different domain using an HTML iframe element to make it more secure," Chen wrote. "In this scenario, a regular JavaScript skimmer will not be able to copy the data inside the secure iframe. Therefore, the attacker removes the iframe of the secured credit card form and injects his own form so the skimmer can copy the information."
SC Media has reached out to Roomleader for comment.
