We discovered a series of incidents where the credit card skimming attack Magecart was used to hit the booking websites of chain-brand hotels — the second time we’ve seen a Magecart threat actor directly hit ecommerce service providers instead of going for individual stores or third-party supply chains. Back in May, we discovered a new Magecart-using group called “Mirrorthief,” which compromised an ecommerce service provider used by American and Canadian universities.
We found both of the affected hotel websites were developed by Roomleader, a company from Spain that helps hotels build their online booking websites. The malicious code wasn’t injected directly into the website but rather into the script of Roomleader’s module called “viewedHotels” that was provided to its clients and subsequently used for two websites of two different hotel chains. Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to Roomleader regarding this issue.
The script injected into the hotel booking website
Figure 1. Infection chain of the Magecart skimming attack on the online hotel booking websites
Analysis of the credit card skimmer
Upon further testing of the URL, we found that it downloaded a different script when we made a request using an HTTP User-Agent from a mobile device. This script turned out to be a credit card skimmer. Although we found the skimmer to work on both PC and mobile browsers, it seems the attacker only targeted mobile users. This is most likely because the threat actor behind it wants to avoid detection from PC-based security software. The skimmer is not a new one — we’ve seen instances where it was used by other groups. Most likely, it is a general skimmer that is shared via underground forums.
Figure 3. The different scripts downloaded from the skimmer URL for desktop and mobile
The copied information is encrypted using RC4 with a hardcoded key: “F8C5Pe4Q”. Next, the skimmer will generate a random string to encode the encrypted data again using XOR. The data will then be sent via HTTP POST to the remote URL “https://googletrackmanager[.]com/gtm.php?id=” that uses generated random string appended at the end. Upon receipt of the information, the attacker can then decrypt the data and collect the credit card information.
Figure 4. Credit card skimmer code to steal information from hotel booking page
Magecart replaces the original booking page with a fake one
Although the skimmer itself is not unique, we found that it removes the original credit card form on the booking page and injects another one prepared by the threat actor. We theorize two possible reasons for this. The first is that some hotels don’t ask customers to make online payments but instead ask them to pay at the hotel upon arrival. In cases like this, the booking form will ask for credit card information but without the CVC number. To ensure that all credit card information are captured, the attacker replaces the original form with one that contains the CVC number column.
Figure 5. The original credit card form (above) from the hotel website and the injected form (below) from the skimmer
Figure 6. The skimmer script used to remove the original form from the booking page and replace it with the fake one
To make it seem more legitimate, the attacker also prepared credit card forms in eight languages: English, Spanish, Italian, French, German, Portuguese, Russian, and Dutch. These languages match the languages supported by the targeted hotel websites. The skimmer will check which language the customer is using for the website and inject the corresponding fake credit card form into the page.
Figure 7. The eight languages of the fake credit card form inside the skimmer
We were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the malicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in previous campaigns.
Recent incidents involving credit card skimmers like Magecart emphasize the need for businesses to secure their websites from potential compromise by implementing security best practices, which include regularly updating software to the latest versions and segregating networks to ensure that as little customer data as possible is exposed.
Furthermore, users can consider using payment systems such as Apple Pay and Google Pay, which offer additional authentication methods — minimizing the chance that attackers will be able to use the credit card even if they manage to collect the card’s details. The following Trend Micro solutions protect users and businesses by blocking the scripts and preventing access to the malicious domains:
- Trend Micro™ Security
- Smart Protection Suites and Worry-Free™ Business Security
- Trend Micro Network Defense
- Hybrid Cloud Security
Indicators of Compromise (IoCs)
|SHA-256 Hash/ URL||File Name||Details||Detection name|
|ac58602d149305bd2331d555c15e6292bd5d09c34ade9e5eebb81e9ef1e7b312||gtm.js||Credit card skimmer||TrojanSpy.JS.MAGECART.B|