Connect with us

Hi, what are you looking for?



Magecart Hackers Target Mobile Users of Hotel Websites

A Magecart threat actor has compromised the websites of two hotel chains to inject scripts targeting Android and iOS users, Trend Micro’s security researchers warn.

A Magecart threat actor has compromised the websites of two hotel chains to inject scripts targeting Android and iOS users, Trend Micro’s security researchers warn.

On August 9, the hackers planted JavaScript code to load a remote script onto the target sites’ payment page. The link would download normal JavaScript code when accessed from a desktop computer, but it would deliver a credit card skimmer script to mobile devices.

“Although we found the skimmer to work on both PC and mobile browsers, it seems the attacker only targeted mobile users. This is most likely because the threat actor behind it wants to avoid detection from PC-based security software,” Trend Micro says.

The infected websites, Trend Micro says, were developed by Roomleader, a Spain-based firm that helps hotels build online booking websites. The malicious code was found injected in a Roomleader module “viewedHotels,” which the company provides to its clients.

Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.

The malicious code was designed to first check if an HTML element containing the ID “customerBookingForm” is present on the page, which confirms it is running on the hotel’s booking page, and then to check if the browser debugger is closed.

Next, it loads another JavaScript from an external domain (the style of the URL emulates the legitimate Google Tag Manager URL), and this script contains the card skimmer code designed to steal data from payment forms.

Advertisement. Scroll to continue reading.

The skimmer used in this attack isn’t new, and the researchers believe it might be a general skimmer shared via underground forums.

The skimmer hooks the JavaScript events that are triggered when a payment or a booking is submitted. When this happens, the skimmer checks if the browser debugger is closed, then copies the name and value from “input” or “select” HTML elements on the page.

“In this case, the gathered information includes names, email addresses, telephone numbers, hotel room preferences, and credit card details,” Trend Micro explains.

The stolen information is encrypted using RC4 with a hardcoded key, encoded using XOR, and then sent via HTTP POST to “https://googletrackmanager[.]com/gtm.php?id=.” The random string used to encode the data is appended at the end.

The skimmer also replaces the original credit card form on the booking page, so as to ensure that all of the targeted credit card data is exfiltrated — some booking pages might not require the CVC number, while others use secure iframes to load the credit card form from a different domain.

The attackers created fake credit card forms in English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch, which are the languages supported by the targeted hotel websites. The skimmer checks the language for the website and injects the corresponding fake credit card form.

Trend Micro says the network infrastructure and the malicious code used in this attack could not be strongly linked to previous Magecart groups, but the threat actor might have been involved in previous campaigns as well.

Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets

Related: Magecart Skimmer Poses as Payment Service Provider

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...