[BreachExchange] Hotel websites infected with skimmer via supply chain attack

Destry Winant destry at riskbasedsecurity.com
Fri Sep 20 10:00:42 EDT 2019


A Magecart card-skimming campaign this month sabotaged the mobile
websites of two hotel chains by executing a supply chain attack on a
third-party partner, researchers have reported.

The third party in both instances was Roomleader, a Barcelona-based
provider of digital marketing and web development services. One of the
ways Roomleader helps hospitality companies build out their online
booking functionality is through a library module called
“viewedHotels,” which saves viewed hotel information in visitors’
browser cookies.

Both of the affected hotel chains implemented this module, which the
adversaries had infected with malicious JavaScript after first
compromising Roomleader, according to Trend Micro, whose researchers
discovered the attacks and disclosed them in a company blog post
today. The lodging chains were not named, but one has 107 hotels in 14
countries and the other has 73 hotels in 14 countries.

As is typical with Magecart attacks, the skimmer was designed to steal
data from payment forms, including credit card details, names, email
addresses, telephone numbers and hotel room preferences. This
information is doubly encrypted and exfiltrated to the attackers, who
can then decrypt and view it.

Although the skimmer code is capable of swiping data from both PC and
mobile browsers, the Magecart actors specifically programmed the
malware to only deliver the skimmer to mobile users. Desktop users, on
the other hand, received normal JavaScript copied from a GitHub,
“likely because the threat actor behind it wants to avoid detection
from PC-based security software,” explained Trend Micro fraud
researcher Joseph Chen in the blog post.

Interestingly, the skimmer was also programmed to replace mobile
websites’ normal payment forms with a slightly different version
created by the attackers. The attackers even went as far as to
translate the fraudulent forms into eight different languages, to
match the various languages supported by the targeted hotel websites.

Trend Micro offered a reason for this: Certain hotel booking forms
don’t ask for Card Verification Code (CVC) numbers in advance because
the customer can simply pay upon arriving at the hotel. This doesn’t
help the attackers, so they created a replacement form that asks for
these security numbers.

There is also a second possible motive: “…Sometimes, the booking page
will host the credit card form in a different domain using an HTML
iframe element to make it more secure,” Chen wrote. “In this scenario,
a regular JavaScript skimmer will not be able to copy the data inside
the secure iframe. Therefore, the attacker removes the iframe of the
secured credit card form and injects his own form so the skimmer can
copy the information.”

DigitalMunition has reached out to Roomleader for comment.

More information about the BreachExchange mailing list