Researchers from Trend Micro have discovered a series of Magecart credit card skimming attacks hitting booking websites of chain-brand hotels.
“However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones. The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.”
Both of the affected hotel websites were developed by Spanish company Roomleader. Researchers found that the malicious code was injected into the script of the Roomleader’s module named “viewedHotels”, which was provided to its clients, and used by two websites of two different hotel chains.
Researchers explained that despite it appearing that a small number of sites were affected, the attack is still considered significant given that one of the hotel chains has 107 hotels in 14 countries and the other has 73 hotels in 14 countries.
Threat actors were able to steal data by using a fake credit card form on the booking page of each website. This allows the skimmer to steal data from the payment forms, including names, email addresses, telephone numbers, hotel room preferences, and credit card details.
The threat actors went out of their way to translate the fraudulent forms into eight different languages – languages which were supported by the targeted hotel websites. This was done so make the form appear more legitimate.
The researchers have assumed that threat actors may have created a fake form because the original forms don’t ask users to fill in their credit card verification number (CVV number).
“Recent incidents involving credit card skimmers like Magecart emphasise the need for businesses to secure their websites from potential compromise by implementing security best practices, which include regularly updating software to the latest versions and segregating networks to ensure that as little customer data as possible is exposed.
“Furthermore, users can consider using payment systems such as Apple Pay and Google Pay, which offer additional authentication methods — minimising the chance that attackers will be able to use the credit card even if they manage to collect the card’s details.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.