People using mobile apps to book hotel rooms for their vacations have been targeted by a skimming attack.
Research by cybersecurity company Trend Micro discovered that a series of incidents took place earlier this month in which the booking websites of two well-known hotel chains were hit by credit card–skimming malware known as Magecart.
Both websites affected were developed by Spanish company Roomleader. One of the impacted brands has 73 hotels in 14 countries and is comparable in size and geographical distribution to Exe Hotels. The other undisclosed chain has 107 hotels in 14 countries and is comparable in size and geographical distribution to Eurostars Hotels. Exe and Eurostars both have websites powered by Roomleader.
Attackers were able to pilfer data by replacing the original credit card form on the booking page of each website with a fake one, then stealing the data entered into the imposter form by the user. In this case, the thieves made off with users’ names, email addresses, telephone numbers, credit card details, and hotel room preferences.
The researchers theorized that the reason why the attackers went to the trouble of creating a fake form may have been that the original form didn’t ask users to fill in their credit card’s card verification number, known as a CSC, CVV, or CV2.
To make the switch appear more legitimate, the digital bandits even prepared credit card forms in the eight different languages supported by the targeted hotel websites.
Trend Micro’s findings follow the discovery of another Magecart-using group by the company back in May of this year. That group, known as Mirrorthief, compromised an e-commerce service provider used by American and Canadian universities.
Roger Grimes, data-driven defense evangelist at KnowBe4, commented: “There are companies and services, which any website or service can buy, that will not only monitor what is going on within any particular website, but proactively look for signs of maliciousness and notify website owners when something is amiss. Website and service owners don’t have to be surprised by things like this. They can proactively fight it. They just have to care enough to put the right controls in place.”