#privacy: Hotel websites hit by Magecart skimming attack

Researchers from Trend Micro have discovered a series of Magecart credit card skimming attacks hitting booking websites of chain-brand hotels. 

In a blog post, Trend Micro wrote that researchers had, since August 9, found two hotel websites that were being injected with a JavaScript code. When analysing the script’s link, it downloaded a normal JavaScript code.

“However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones. The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.”

Both of the affected hotel websites were developed by Spanish company Roomleader. Researchers found that the malicious code was injected into the script of the Roomleader’s module named “viewedHotels”, which was provided to its clients, and used by two websites of two different hotel chains. 

Researchers explained that despite it appearing that a small number of sites were affected, the attack is still considered significant given that one of the hotel chains has 107 hotels in 14 countries and the other has 73 hotels in 14 countries. 

Threat actors were able to steal data by using a fake credit card form on the booking page of each website. This allows the skimmer to steal data from the payment forms, including names, email addresses, telephone numbers, hotel room preferences, and credit card details. 

The threat actors went out of their way to translate the fraudulent forms into eight different languages – languages which were supported by the targeted hotel websites. This was done so make the form appear more legitimate. 

The researchers have assumed that threat actors may have created a fake form because the original forms don’t ask users to fill in their credit card verification number (CVV number). 

“Recent incidents involving credit card skimmers like Magecart emphasise the need for businesses to secure their websites from potential compromise by implementing security best practices, which include regularly updating software to the latest versions and segregating networks to ensure that as little customer data as possible is exposed.

“Furthermore, users can consider using payment systems such as Apple Pay and Google Pay, which offer additional authentication methods — minimising the chance that attackers will be able to use the credit card even if they manage to collect the card’s details.”

The largest data protection, privacy and security event of 2020, now available on-demand!

Featuring four whole days of keynote sessions, panel debates, and an opportunity to network and chew over all things data-related through discussions in public boards and virtual booths, PrivSec Global is now available to watch on-demand.

You can access the content from all four days, by registering for access to our PrivSec Global platform below.

Learn More and Register

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.