- Two large hotel chains have had their payment webpages compromised by card skimming scripts.
- The Magecart campaign is based on the injection of code in a module of their website developer.
- The actors are using their own custom fake payment form to steal the credit card data directly.
Both hotels have had their websites built by a firm called “Roomleader”, and it was one of this company’s modules that was compromised by the Magecart actors. This means that the campaign is based on a production chain flaw and that there must be a lot more hotel chains affected besides the two that were discovered by Trend Micro. Even if the problem was contained only on the two chains, it would still be an extensive one since the first one has 107 hotels in 14 countries and the other has 73 hotels in 14 countries.
The actors have even gone to the trouble of translating their fake form in eight languages, checking what the victim is using on their system and injecting the corresponding form version. This further increases the legitimacy of the fake form and helps to trick the customers. Unfortunately, Trend Micro hasn’t revealed which two hotel chains were compromised, so people who made their booking via their mobile websites since August 9 cannot determine if they have had their credit card details stolen or not.