Trend Micro has just published the following findings: Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites.
Forbes is reporting on the findings, noting that Trend Micro discovered credit card skimming malware in the reservation systems of two international hotel chains. The significant attack affects hotel chains with over 180 locations in 14 different countries.
The affected hotel reservation platforms were developed by Roomleader, a company from Spain that helps hotels build their online booking websites. The malicious code wasn’t injected directly into the website but rather into the script of Roomleader’s module called “viewedHotels” that was provided to its clients and subsequently used for two websites of two different hotel chains. The malware is Magecart, which has been responsible for several other high profile cases in the past year.
Key Points:
- Reservation systems affected by credit card skimming malware encompass over 180 hotel locations and 14 different countries.
- Magecart skimming malware attacked reservation platform developed by Barcelona hospitality provider Roomleader
- The names of two hotel chains and the extent of attack are unknown
This is a combination of two major attack types: credit card skimming malware and a “supply chain” attack. Credit card skimming malware being injected at legitimate customer sites has been an ongoing problem for many years, and seems likely not to abate anytime soon. Attacking supply chains, which provide code and other services to larger services and sites has also been a problem for years, but seems to be growing at an exponential pace just the last year or two. The fix for both is for the customer and the supplier to not only implement better cybersecurity controls to prevent things like this from happening in the first place, but also to monitor their sites and services, looking for unauthorized changes and signs of maliciousness.
Sadly, most companies really have no idea what is running on their websites. On most mature websites, there are 30 to 80 different “foreign” pieces of code coming in from all sorts of provided supplies – each providing either some sort of customer service, ad placement, or customer metric collection. Most companies really don’t understand what is running on their websites at any one time, after losing track of what was really running on them many years ago. As long as the customers aren’t complaining, they don’t think they have a problem. There are companies and services, which any website or service can buy, that will not only monitor what is going on within any particular website but proactively look for signs of maliciousness and notify website owners when something is amiss. Website and service owners don’t have to be surprised by things like this. They can proactively fight it. They just have to care enough to put the right controls in place.