Pierluigi Paganini September 20, 2019

Trend Micro researchers reported that a Magecart group has hacked the websites of two hotel chains to inject scripts targeting Android and iOS users.

Researchers discovered a series of incidents involving software credit card skimmer used by Magecart to hit the booking websites of hotel chains.

In early September, the researchers discovered a JavaScript code onto two hotel websites belonging to different hotel chains. The JavaScript code was used to load a remote script on their payment page since August 9. 

“When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones.” reads the analysis published by Trend Micro. “The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.”

Experts noticed that the link would deliver a credit card skimmer script only when users visited the websites using mobile devices, suggesting that the attackers aimed at targeting only mobile users.

Trend Micro noticed that infected websites were developed by Roomleader, a firm that designs online booking websites. Threat actors injected the malicious code in the Roomleader module “viewedHotels.”

Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.

“Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to Roomleader regarding this issue.” continues the analysis.

The code injected in the websites first checks if an HTML element containing the ID “customerBookingForm” is present on the webpage to verify that it is running on the hotel’s booking page.

If the code detects the booking page, it will check if the browser debugger is closed and then load another JavaScript from the URL hxxps://googletrackmanager[.]com/gtm[.]js that contains the card skimmer code.

The skimmer hooks the JavaScript events that are triggered when customers make a payment or submit a booking. When these events happen, the skimmer checks if the browser debugger is closed, then copies the name and value from “input” or “select” HTML elements on the booking page.

The skimmer script used in these attacks collects customers’ data, including names, email addresses, telephone numbers, hotel room preferences, and of course, credit card details.

The script encrypts data with RC4 using a hardcoded key, encoded using XOR, and then sent via HTTP POST to “https://googletrackmanager[.]com/gtm.php?id=.” The scripts appens the random string used to encode the data at the end.

The software skimmer replaces the original credit card form on the booking page, in this way attackers could require customers to submit all credit card data, including the CVC number that is not required in some booking pages. This trick also works to collect all customers data when the websites use secure iframes to load the credit card form from a different domain.

Magecart attackers created fake credit card forms in English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch.

Trend Micro pointed out the network infrastructure and the scripts used in this attack could not be strongly linked to previous Magecart attacks.

“We were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the malicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in previous campaigns.” concludes Trend Micro.

Pierluigi Paganini

(SecurityAffairs – Magecart, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]