Roomleader, a digital marketing and web development services provider that helps hospitality companies build out their online booking functionality through their library module which saves viewed hotel information in visitors’ browser cookies, was the victim of a magecart attack according to a Trend Micro Report. The hackers injected malicious code into Roomleader’s “Viewed Hotels” module initiating a supply chain attack that has so far infected two hotel chains, one with 107 hotels in 14 countries and the other has 73 hotels in 14 countries
2 Hotel Chains Infected with #Magecart Skimmer via #SupplyChain Attack at #Marketing Firm #Roomleader⠀https://t.co/xcUZQIMQHm ⠀#cybercrime #infosec #hospitality https://t.co/YP3SoFvPQe pic.twitter.com/nLePACo08F
— Neira Jones (@neirajones) September 19, 2019
Managing the digital supply chain is difficult because it requires the right tools and expertise. When third party code suppliers deliver code to users through browser and not through a tool that the website publisher/owner uses, the owner has little control of what happens and can\’t monitor when something\’s afoot. If a third party provides or supports the web application, iframes will fall victim to attack. The only way to protect users is to know who’s providing what code and what that code does to users.
This latest attack on Roomleader shows that Magecart isn’t going away anytime soon. The attack was designed to steal data from payment forms, including credit card details, names and addresses. To accomplish this, attackers even went so far as to translate their fraudulent forms into eight different languages and create a replacement form that asked for Card Verification Code (CVC) numbers. To avoid these attacks, organizations obviously need to do a better job securing their own servers. However, even organizations that look after their own servers\’ security can become exposed through third-parties. Clearly, organizations must make it a priority to assess and manage the risk associated with third-parties in their cyber supply chain.