Staff member
Malware Hunter
We discovered a series of incidents where the credit card skimming attack Magecart was used to hit the booking websites of chain-brand hotels — the second time we’ve seen a Magecart threat actor directly hit ecommerce service providers instead of going for individual stores or third-party supply chains. Back in May, we discovered a new Magecart-using group called “Mirrorthief,” which compromised an ecommerce service provider used by American and Canadian universities.

In early September, we found two hotel websites (from different hotel chains) that were being injected with a JavaScript code to load a remote script on their payment page since August 9. When we first checked the script’s link, it downloaded a normal JavaScript code. However, we found that the same link could also download a different script when we requested it from mobile devices like Android or iOS phones. The downloaded script for mobile devices is a credit card skimmer which can steal the information entered on the hotel booking page and send it to a remote server.

We found both of the affected hotel websites were developed by Roomleader, a company from Spain that helps hotels build their online booking websites. The malicious code wasn’t injected directly into the website but rather into the script of Roomleader’s module called “viewedHotels” that was provided to its clients and subsequently used for two websites of two different hotel chains. Despite the seemingly small number of affected sites, we still consider the attack significant given that one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached out to Roomleader regarding this issue.

The script injected into the hotel booking website

VT 2/56


Level 24
Does the Netcraft extension protect you against this?
Protection against malicious JavaScript — Prevent your credit card details from being stolen by shopping site skimmers or your computer's processing power being harvested by web miners. Netcraft has been detecting shopping site skimmers, web miners, and other malicious JavaScript since 2017. The extension blocks sites that we have found to be compromised with malicious JavaScript. Additionally, it detects JavaScript that we have identified as being malicious, blocks pages that use it from loading, and automatically reports them to Netcraft to protect the rest of the community.