BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Credit Card Stealing Malware Strikes Websites Of Two International Hotel Chains

Following
This article is more than 4 years old.

Security researchers at Trend Micro recently discovered credit card-swiping malware lurking in an online hotel reservation system. According to their investigation, the malware targeted a pair of international hotel chains with total of 180 locations in 14 different countries.

The malware used in the attack, Magecart, has been implicated in dozens of other high-profile incidents. Most recently, the Baseball Hall of Fame's online shop was hit. 380,000 British Airways customers had their credit cards stolen in a similar attack just over a year ago.

Magecart attackers use a technique known as script injection which involves exploiting vulnerabilities in e-commerce platforms and forcing them to run untrusted code. The injected scripts go to work during the checkout process.

Sometimes the scripts merely steal the data that's entered. Often that's good enough, but it wasn't in this case.

This was a hotel reservation system, after all, and plenty of hotels will let you secure a room without actually paying for it online. The forms they use for those reservations don't generally ask for the CVV code on the back of your credit card.

That creates a problem for would-be card skimmers. Without the CVV, the stolen cards have limited value.

The criminals behind this attack coded a simple fix. In addition to injecting the usual skimming code they also built a lookalike form that included a CVV field.

Another step they took was translating the form into Dutch, English, French, German, Italian, Portuguese, Russian and Spanish. Trend Micro notes that he translations line up with the 14 countries where the two hotel chains operate.

Worryingly, the platform that the attackers compromised wasn't used solely by the two chains. The system itself is the work of Roomleader, a Barcelona-based provider of solutions for the hospitality industry.

Trend Micro has been in contact with Roomleader regarding the attack. The names of the affected chains and full extent of the attack are not yet known.

I've reached out to Roomleader for comment and will update this post with any official information that is provided.