Magecart: A new Magecart campaign was discovered in early September targeting the mobile booking applications for hotels. Two hotel websites from different chains were being compromised through JavaScript injection to load a remote script on the payment page of the website. The script’s link downloads a non-malicious JavaScript code, but in some instances when it was requested from a mobile device, it downloads a different script that was seen to be a credit card skimmer. The skimmer has the ability to steal the information that was uploaded to the booking site and send it to another server for the attacker to access. Both of the affected websites in this attack were developed by Roomleader, a Spanish company that assists hotels with building reservation websites. The code was not injected directly into the website but rather into a function called “viewedHotels” and is only used on two of the hotel’s websites. The attack first downloads a JavaScript code which will continuously check every second that the victim is on the booking page. If the booking page is being accessed, it will check to see if the browser debugger is closed and then loads another JavaScript where the skimmer actually lies. The user has to be on a mobile device, or it will not download the legitimate skimmer. The skimmer hooks its function to the “submit” button, which is typically clicked when people have entered payment information and want to make a reservation. It was seen in this attack that the checkout page of the website is completely replaced by Magecart. The reason behind this is that some hotels will not require payment until arrival, but still ask for a credit card to hold the room. Because they ask for the payment at a later date, some hotels do not require a CVC number to be entered when making a reservation. By replacing the checkout page with their own, the attacker guarantees they get all the credit card information that they want.
Analyst Notes
This instance is another one that has been seen in the past few months of the Magecart attackers not attacking third-party supply chains, but rather directly targeting the e-commerce site. E-commerce websites should make sure that they are following best security practices to avoid these situations. Roomleader has been notified of this issue, but there is a chance that the group will try and find another function within Roomleader that will affect more websites than just two.
