A Magecart card-skimming campaign this month sabotaged the mobile websites of two hotel chains by executing a supply chain attack on a third-party partner, researchers have reported.
The third party in both instances was Roomleader, a Barcelona-based provider of digital marketing and web development services. One of the ways Roomleader helps hospitality companies build out their online booking functionality is through a library module called "viewedHotels," which saves viewed hotel information in visitors' browser cookies.
As is typical with Magecart attacks, the skimmer was designed to steal data from payment forms, including credit card details, names, email addresses, telephone numbers and hotel room preferences. This information is doubly encrypted and exfiltrated to the attackers, who can then decrypt and view it.
Interestingly, the skimmer was also programmed to replace mobile websites' normal payment forms with a slightly different version created by the attackers. The attackers even went as far as to translate the fraudulent forms into eight different languages, to match the various languages supported by the targeted hotel websites.
Trend Micro offered a reason for this: Certain hotel booking forms don't ask for Card Verification Code (CVC) numbers in advance because the customer can simply pay upon arriving at the hotel. This doesn't help the attackers, so they created a replacement form that asks for these security numbers.
SC Media has reached out to Roomleader for comment.