Researchers discovered a series of incidents involving software credit card skimmer used by Magecart to hit the booking websites of hotel chains.
Experts noticed that the link would deliver a credit card skimmer script only when users visited the websites using mobile devices, suggesting that the attackers aimed at targeting only mobile users.
Trend Micro noticed that infected websites were developed by
Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.
“Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to
The code injected in the websites first checks if an HTML element containing the ID “
If the code detects the booking page, it will check if the
The skimmer script used in these attacks collects customers’ data, including names, email addresses, telephone numbers, hotel room preferences, and of course, credit card details.
The script encrypts data with RC4 using a
The software skimmer replaces the original credit card form on the booking page, in this way attackers could require customers to submit all credit card data, including the CVC number that is not required in some booking pages. This trick also works to collect all
Trend Micro pointed out the network infrastructure and the scripts used in this attack could not be strongly linked to previous Magecart attacks.
“We were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the malicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in previous campaigns.” concludes Trend Micro.