A fresh wave of Magecart-linked attacks is taking place with two hotel chains becoming the latest victims. The malware used in this attack, Magecart, has been used in dozens of other high-profile incidents.
Magecart, a loose affiliation of attack groups responsible for payment-card attacks on Ticketmaster, Forbes, British Airways, Newegg and others, typically inserts virtual credit-card skimmers, also known as formjacking, into a web application (usually the shopping cart), stealing credit card information to sell on the black market.
The party in both instances was Roomleader, a Barcelona-based provider of digital marketing and web-development services. One of the ways Roomleader helps hospitality companies build out their online booking functionality is through a library module called “viewedHotels,” which saves viewed hotel information in visitors’ browser cookies.
Two hotel chains that feature this module were infected with malicious JavaScript after hackers first compromised Roomleader, according to Trend Micro, whose researchers discovered the attacks and disclosed them in a company post. The hotel companies were not named, but one has 107 hotels in 14 countries and the other has 73 hotels in 14 countries.
According to the Trend Micro team, there are two reasons why this event most likely occurred--the first being that some hotels do not ask for a CVV/CVC security code from guests who book online until the guests arrive, and so by replacing the booking form, the hackers can attempt to secure this key data.
Secondly, it may be due to booking pages that host payment information in a different domain using HTML iframes in a bid to aid security. Iframes, or inline frames, are HTML documents that are embedded inside another HTML document on a website, often inserting content from another source.
"In this scenario, a regular JavaScript skimmer will not be able to copy the data inside the secure iframe," Trend Micro said. "Therefore, the attacker removes the iframe of the secured credit card form and injects his own form so the skimmer can copy the information."
The injected code will check to see which language is in use--such as English, Spanish, or French -- and will add a corresponding malicious credit card form.
The injected code, which would appear on the payment page of the hotel websites, appears to have been active since Aug. 9, according to Trend Micro. Payment card details input by unwitting victims are harvested and sent to a remote server controlled by attackers.
“This latest attack is an indicator that Magecart attacks are far from over,” said Deepak Patel, security evangelist at PerimeterX. “The modern web application stack relies on third-party scripts obtained from a variety of providers, not all of whom have strong security practices. Website owners lack visibility into the third-party scripts running on the users’ browsers within the context of their site. Many website owners are also unaware of all the first-party scripts running on their site.”
The attackers also used the sophisticated approach of localizing the content in many languages to appear authentic and to cast a wider net. The unsuspecting users saw the secure padlock next to the URL on the browser address bar and felt comfortable using the site.
“In addition to staying up to date with the latest versions of critical platform components, website owners need to take another step: get visibility and control of all the scripts running on their website, whether first- or third-party or another part of the supply chain,” Patel said.
Trend Micro's findings follow the discovery of another Magecart-using group back in May. That group, known as Mirrorthief, compromised an e-commerce service provider used by American and Canadian universities.
“There are companies and services, which any website or service can buy, that will not only monitor what is going on within any particular website, but proactively look for signs of maliciousness and notify website owners when something is amiss,” Roger Grimes, data-driven defense evangelist at KnowBe4, told InfoSecurity. “Website and service owners don’t have to be surprised by things like this. They can proactively fight it. They just have to care enough to put the right controls in place.”