A Magecart threat actor has compromised the websites of two hotel chains to inject scripts targeting Android and iOS users, Trend Micro’s security researchers warn.
“Although we found the skimmer to work on both PC and mobile browsers, it seems the attacker only targeted mobile users. This is most likely because the threat actor behind it wants to avoid detection from PC-based security software,” Trend Micro says.
The infected websites, Trend Micro says, were developed by Roomleader, a Spain-based firm that helps hotels build online booking websites. The malicious code was found injected in a Roomleader module “viewedHotels,” which the company provides to its clients.
Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.
The malicious code was designed to first check if an HTML element containing the ID “customerBookingForm” is present on the page, which confirms it is running on the hotel’s booking page, and then to check if the browser debugger is closed.
The skimmer used in this attack isn’t new, and the researchers believe it might be a general skimmer shared via underground forums.
“In this case, the gathered information includes names, email addresses, telephone numbers, hotel room preferences, and credit card details,” Trend Micro explains.
The stolen information is encrypted using RC4 with a hardcoded key, encoded using XOR, and then sent via HTTP POST to “https://googletrackmanager[.]com/gtm.php?id=.” The random string used to encode the data is appended at the end.
The skimmer also replaces the original credit card form on the booking page, so as to ensure that all of the targeted credit card data is exfiltrated — some booking pages might not require the CVC number, while others use secure iframes to load the credit card form from a different domain.
The attackers created fake credit card forms in English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch, which are the languages supported by the targeted hotel websites. The skimmer checks the language for the website and injects the corresponding fake credit card form.
Trend Micro says the network infrastructure and the malicious code used in this attack could not be strongly linked to previous Magecart groups, but the threat actor might have been involved in previous campaigns as well.