A Magecart threat actor has compromised the websites of two hotel chains to inject scripts targeting Android and iOS users, Trend Micro’s security researchers warn.
On August 9, the hackers planted JavaScript code to load a remote script onto the target sites’ payment page. The link would download normal JavaScript code when accessed from a desktop computer, but it would deliver a credit card skimmer script to mobile devices.
“Although we found the skimmer to work on both PC and mobile browsers, it seems the attacker only targeted mobile users. This is most likely because the threat actor behind it wants to avoid detection from PC-based security software,” Trend Micro says.
The infected websites, Trend Micro says, were developed by Roomleader, a Spain-based firm that helps hotels build online booking websites. The malicious code was found injected in a Roomleader module “viewedHotels,” which the company provides to its clients.
Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.
The malicious code was designed to first check if an HTML element containing the ID “customerBookingForm” is present on the page, which confirms it is running on the hotel’s booking page, and then to check if the browser debugger is closed.
Next, it loads another JavaScript from an external domain (the style of the URL emulates the legitimate Google Tag Manager URL), and this script contains the card skimmer code designed to steal data from payment forms.
The skimmer used in this attack isn’t new, and the researchers believe it might be a general skimmer shared via underground forums.
The skimmer hooks the JavaScript events that are triggered when a payment or a booking is submitted. When this happens, the skimmer checks if the browser debugger is closed, then copies the name and value from “input” or “select” HTML elements on the page.
“In this case, the gathered information includes names, email addresses, telephone numbers, hotel room preferences, and credit card details,” Trend Micro explains.
The stolen information is encrypted using RC4 with a hardcoded key, encoded using XOR, and then sent via HTTP POST to “https://googletrackmanager[.]com/gtm.php?id=.” The random string used to encode the data is appended at the end.
The skimmer also replaces the original credit card form on the booking page, so as to ensure that all of the targeted credit card data is exfiltrated — some booking pages might not require the CVC number, while others use secure iframes to load the credit card form from a different domain.
The attackers created fake credit card forms in English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch, which are the languages supported by the targeted hotel websites. The skimmer checks the language for the website and injects the corresponding fake credit card form.
Trend Micro says the network infrastructure and the malicious code used in this attack could not be strongly linked to previous Magecart groups, but the threat actor might have been involved in previous campaigns as well.
Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets
Related: Magecart Skimmer Poses as Payment Service Provider

More from Ionut Arghire
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
- Chrome 114 Released With 18 Security Fixes
- Spyware Found in Google Play Apps With Over 420 Million Downloads
- Millions of WordPress Sites Patched Against Critical Jetpack Vulnerability
- PyPI Enforcing 2FA for All Project Maintainers to Boost Security
- Personal Information of 9 Million Individuals Stolen in MCNA Ransomware Attack
Latest News
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Amazon Settles Ring Customer Spying Complaint
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
