Card skimming Magecart malware that attacked British Airways in 2018 now targets hotel chains

Visa-branded Wallet Card
A Visa credit card is seen on a computer keyboard in this picture illustration taken September 6, 2017 REUTERS/Philippe Wojazer/Illustration

Two international hotel chains with 180 locations in 14 different countries have recently been the hot target of Magecart malware attack. The method of attack uses script injection to steal credit card information at the checkout page.

Security researchers at Trend Micro said the Magecart malware is lurking in an online hotel reservation system developed by Roomleader, a Barcelona-based web solution provider in the hospitality sector. The security researchers did not name the hotel chains.

How Magecart works

Like how most data skimming malware works, Magecart injects malicious code in websites through its vulnerabilities. The code follows the users until the checkout page where personal and credit card details are copied and sent to the attacker's server.

While most hotel reservation systems do not require users to input their card security code (CVV), which is instrumental to complete the payment process, this Magecart attack, unfortunately, has the ability to display a counterfeit CVV field.

In addition, the attacker behind this made sure to provide translations for French, German, Dutch, Italian, Russian, Portugues, and Spanish users. These languages are spoken in the 14 countries where the two hotel chains operate.

British Airways attack

The Magecart method has been used in many high-profile cyberattacks. The Baseball Hall of Fame's online store was the latest victim. But so far, British Airways is the biggest casualty.

Magecart was used to attack the UK's flag carrier last year, compromising the personal information and credit card credentials of over 380,000 passengers. It ended up to be a costly debacle after the UK Information Commissioner's Office fined the airline about US$229.2 million for violating the European Union's General Data Protection Regulation (GDPR).

Avoiding malware attacks

It's always the responsibility of businesses to protect their consumers from malicious attacks. However, the protection they can give to consumers may have limitations, especially if there are third parties (like payment gateways) necessary to deliver the service. One way for users to avoid falling victim to malware attacks like this is to keep tabs on charges to their credit or debit cards and report to their banks any unauthorized charges.