A Magecart threat actor has compromised the websites of two hotel chains to inject scripts targeting Android and iOS users, Trend Micro’s security researchers warn.
On August 9, the hackers planted JavaScript code to load a remote script onto the target sites’ payment page. The link would download normal JavaScript code when accessed from a desktop computer, but it would deliver a credit card skimmer script to mobile devices.
“Although we found the skimmer to work on both PC and mobile browsers, it seems the attacker only targeted mobile users. This is most likely because the threat actor behind it wants to avoid detection from PC-based security software,” Trend Micro says.
The infected websites, Trend Micro says, were developed by Roomleader, a Spain-based firm that helps hotels build online booking websites. The malicious code was found injected in a Roomleader module “viewedHotels,” which the company provides to its clients.
Although the module was only used for two websites of two different hotel chains, the number of potential victims is very high, as one of these brands has 107 hotels in 14 countries, while the other has 73 hotels in 14 countries.
The malicious code was designed to first check if an HTML element containing the ID “customerBookingForm” is present on the page, which confirms it is running on the hotel’s booking page, and then to check if the browser debugger is closed.
Next, it loads another JavaScript from an external domain (the style of the URL emulates the legitimate Google Tag Manager URL), and this script contains the card skimmer code designed to steal data from payment forms.
The skimmer used in this attack isn’t new, and the researchers believe it might be a general skimmer shared via underground forums.
The skimmer hooks the JavaScript events that are triggered when a payment or a booking is submitted. When this happens, the skimmer checks if the browser debugger is closed, then copies the name and value from “input” or “select” HTML elements on the page.
“In this case, the gathered information includes names, email addresses, telephone numbers, hotel room preferences, and credit card details,” Trend Micro explains.
The stolen information is encrypted using RC4 with a hardcoded key, encoded using XOR, and then sent via HTTP POST to “https://googletrackmanager[.]com/gtm.php?id=.” The random string used to encode the data is appended at the end.
The skimmer also replaces the original credit card form on the booking page, so as to ensure that all of the targeted credit card data is exfiltrated — some booking pages might not require the CVC number, while others use secure iframes to load the credit card form from a different domain.
The attackers created fake credit card forms in English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch, which are the languages supported by the targeted hotel websites. The skimmer checks the language for the website and injects the corresponding fake credit card form.
Trend Micro says the network infrastructure and the malicious code used in this attack could not be strongly linked to previous Magecart groups, but the threat actor might have been involved in previous campaigns as well.
Related: Magecart Hackers Infect 17,000 Domains via Insecure S3 Buckets