Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites
TrendMicro analyzed a recent series of attacks by the Magecart threat group during which their credit card skimming malware targeted booking sites of hotel chains. Toward the beginning of September, they discovered JavaScript code injected into the payment pages of two hotel website, each associated with different chains.
The JavaScript code has the purpose of loading a remote script and appears to have been present in the source code of the website since August 9th. Both hotel chains’ websites developed by “Roomleader,” a hotel website development company based in Spain. Their target in the code was the “viewedHotels” module, a script used for saving the viewed hotel information in the visitor’s browser cookies.
The skimmer itself is designed to steal credit card information, names, telephone numbers, and hotel room preferences from the payment forms on the website. This stolen data is encrypted using RC4 with a hardcoded key, “F8C5Pe4Q,” and then subsequently XOR encrypted. The data is exfiltrated using a HTTP POST command to a TLS encrypted website masquerading as a Google tracker URL.
Indicators of Compromise
- googletrackmanager.com
- ac58602d149305bd2331d555c15e6292bd5d09c34ade9e5eebb81e9ef1e7b312
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.