This article originally appeared in Hospitality Technology on September 20, 2019.
In a blog post from September 18, Security researchers at Trend Micro revealed that they discovered credit card stealing malware (Magecart) hiding in an online hotel reservation system. It found that two hotel websites – from two different hotel chains – had been compromised since August 9.
WHAT HAPPENED?
Two hotel websites were “injected” with a JavaScript code to load a remote script on their payment page when the payment page was requested from a mobile device. The script acted as a credit card skimmer and stole payment information. To make it seem even more legitimate, the attacker prepared credit card forms in eight languages: English, Spanish, Italian, French, German, Portuguese, Russian and Dutch which match the languages supported by the targeted hotel websites.
WHO WAS AFFECTED?
While TrendMicro isn’t revealing the name of the two hotel companies affected, it did say that the hotel websites were developed by Roomleader, a company from Spain that helps hotels build online booking websites. TrendMicro also revealed the size of the hotel companies. One brand has 107 hotels in 14 countries and the other has 73 hotels in 14 countries.
EXPERT COMMENTARY
HT spoke to two security experts about what this attack could mean for hospitality as a whole.
“This latest attack is an indicator that Magecart attacks are far from over,” said Deepak Patel, security evangelist at PerimeterX. “The modern web application stack relies on third-party scripts obtained from a variety of providers, not all of whom have strong security practices. Website owners lack visibility into the third-party scripts running on the users’ browsers within the context of their site. Many website owners are also unaware of all the first-party scripts running on their site.
“In addition to staying up to date with the latest versions of critical platform components, website owners need to take another step: get visibility and control of all the scripts running on their website, whether first- or third-party or another part of the supply chain,” Patel added.
Matan Or-El, Co-founder and CEO of Panorays agrees with Patel noting: “This latest attack on Roomleader shows that Magecart isn’t going away anytime soon. To avoid these attacks, organizations obviously need to do a better job securing their own servers. However, even organizations that look after their own servers’ security can become exposed through third-parties. Clearly, organizations must make it a priority to assess and manage the risk associated with third-parties in their cyber supply chain.”
Similarly, Usman Rahim, Digital Security and Operations Manager for The Media Trust says, “Managing the digital supply chain is difficult because it requires the right tools and expertise. When third party code suppliers deliver code to users through browser and not through a tool that the website publisher/owner uses, the owner has little control of what happens and can’t monitor when something’s afoot. If a third party provides or supports the web application, iframes will fall victim to attack. The only way to protect users is to know who’s providing what code and what that code does to users.”