{
	"id": "de959179-501b-4be2-8ede-ffca4294a482",
	"created_at": "2026-04-06T00:22:37.7972Z",
	"updated_at": "2026-04-10T03:24:11.658171Z",
	"deleted_at": null,
	"sha1_hash": "98a8f2b5b7f8b857c29ae388ac1eebfc6c8844d3",
	"title": "Magecart Targets Hotel Booking Websites on Mobile",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 76470,
	"plain_text": "Magecart Targets Hotel Booking Websites on Mobile\r\nBy Joseph C Chen ( words)\r\nPublished: 2019-09-18 · Archived: 2026-04-05 22:32:52 UTC\r\nWe discovered a series of incidents where the credit card skimming attack Magecart was used to hit the booking websites of\r\nchain-brand hotels — the second time we’ve seen a Magecart threat actor directly hit ecommerce service providers instead\r\nof going for individual stores or third-party supply chains. Back in May, we discovered a new Magecart-using group called\r\n“Mirrorthief,” which compromised an ecommerce service provider used by American and Canadian universities.\r\nIn early September, we found two hotel websites (from different hotel chains) that were being injected with a JavaScript\r\ncode to load a remote script on their payment page since August 9. When we first checked the script’s link, it downloaded a\r\nnormal JavaScript code. However, we found that the same link could also download a different script when we requested it\r\nfrom mobile devices like Android or iOS phones. The downloaded script for mobile devices is a credit card skimmer which\r\ncan steal the information entered on the hotel booking page and send it to a remote server.\r\nWe found both of the affected hotel websites were developed by Roomleader, a company from Spain that helps hotels build\r\ntheir online booking websites. The malicious code wasn’t injected directly into the website but rather into the script of\r\nRoomleader’s module called “viewedHotels” that was provided to its clients and subsequently used for two websites of two\r\ndifferent hotel chains. Despite the seemingly small number of affected sites, we still consider the attack significant given\r\nthat one of the brands has 107 hotels in 14 countries while the other has 73 hotels in 14 countries. Note that we have reached\r\nout to Roomleader regarding this issue.\r\nThe script injected into the hotel booking website\r\nFigure 1. Infection chain of the Magecart skimming attack on the online hotel booking websites\r\nFigure 1. Infection chain of the Magecart skimming attack on the online hotel booking websites\r\nAs mentioned, the injection was done on a JavaScript library of Roomleader’s “viewedHotels” module located at\r\nhxxps://[hotel website]/modulos/viewedHotels/templates/public/js/history_setter[.]js. This library is used for saving the\r\nviewed hotel information in the visitor’s browser cookies. The attacker injected the malicious code in the middle of the\r\noriginal script.\r\nThe injected code first checks if an HTML element containing the ID “customerBookingForm” is present on the webpage to\r\nmake sure it is running on the hotel’s booking page. If the injected code is found to not be running on the page, it will go to\r\nsleep for one second and check repeatedly thereafter. However, if the code detects the booking page, it will check if the\r\nbrowser debugger is closed and then load another JavaScript from the URL hxxps://googletrackmanager[.]com/gtm[.]js —\r\nwhich is where the card skimmer code is actually located. It’s worth noting that the style of the URL is meant to emulate the\r\nlegitimate URL used by Google Tag Manager.\r\nFigure 2. The injected script (highlighted) in the JavaScript library used by hotel websites\r\nFigure 2. The injected script (highlighted) in the JavaScript library used by hotel websites\r\nAnalysis of the credit card skimmer\r\nWhen we first connected to the skimmer URL, it returned normal JavaScript code copied from the GitHub project detect-mobile-browser. However, we suspected it was not the real payload because the code isn’t actually used by the affected\r\nwebsites.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/\r\nPage 1 of 3\n\nUpon further testing of the URL, we found that it downloaded a different script when we made a request using an HTTP\r\nUser-Agent from a mobile device. This script turned out to be a credit card skimmer. Although we found the skimmer to\r\nwork on both PC and mobile browsers, it seems the attacker only targeted mobile users. This is most likely because the\r\nthreat actor behind it wants to avoid detection from PC-based security software. The skimmer is not a new one — we’ve\r\nseen instances where it was used by other groups. Most likely, it is a general skimmer that is shared via underground forums.\r\nFigure 3. The different scripts downloaded from the skimmer URL for desktop and mobile\r\nFigure 3. The different scripts downloaded from the skimmer URL for desktop and mobile\r\nThe credit card skimmer is designed to steal data from payment forms. The skimmer hooks its function to the JavaScript\r\nevents “submit” and “click,” which are usually triggered when people submit a payment or a booking. When the hooked\r\nevent is triggered, the skimmer will check if the browser debugger is closed. Then it copies the name and value from any\r\n“input” or “select” HTML element on the booking page. In this case, the gathered information includes names, email\r\naddresses, telephone numbers, hotel room preferences, and credit card details.\r\nThe copied information is encrypted using RC4 with a hardcoded key: “F8C5Pe4Q”. Next, the skimmer will generate a\r\nrandom string to encode the encrypted data again using XOR. The data will then be sent via HTTP POST to the remote URL\r\n“https://googletrackmanager[.]com/gtm.php?id=” that uses generated random string appended at the end. Upon receipt of the\r\ninformation, the attacker can then decrypt the data and collect the credit card information.\r\nFigure 4. Credit card skimmer code to steal information from hotel booking page\r\nFigure 4. Credit card skimmer code to steal information from hotel booking page\r\nMagecart replaces the original booking page with a fake one\r\nAlthough the skimmer itself is not unique, we found that it removes the original credit card form on the booking page and\r\ninjects another one prepared by the threat actor. We theorize two possible reasons for this. The first is that some hotels don’t\r\nask customers to make online payments but instead ask them to pay at the hotel upon arrival. In cases like this, the booking\r\nform will ask for credit card information but without the CVC number. To ensure that all credit card information are\r\ncaptured, the attacker replaces the original form with one that contains the CVC number column.\r\nThe second possible reason is that, sometimes, the booking page will host the credit card form in a different domain using an\r\nHTML iframe element to make it more secure. In this scenario, a regular JavaScript skimmer will not be able to copy the\r\ndata inside the secure iframe. Therefore, the attacker removes the iframe of the secured credit card form and injects his own\r\nform so the skimmer can copy the information.\r\nFigure 5. The original credit card form (above) from the hotel website and the injected form (below) from the skimmer\r\nFigure 5. The original credit card form (above) from the hotel website and the injected form (below) from the skimmer\r\nFigure 5. The original credit card form (above) from the hotel website and the injected form (below) from the skimmer\r\nFigure 6. The skimmer script used to remove the original form from the booking page and replace it with the fake one\r\nFigure 6. The skimmer script used to remove the original form from the booking page and replace it with the fake one\r\nTo make it seem more legitimate, the attacker also prepared credit card forms in eight languages: English, Spanish, Italian,\r\nFrench, German, Portuguese, Russian, and Dutch. These languages match the languages supported by the targeted hotel\r\nwebsites. The skimmer will check which language the customer is using for the website and inject the corresponding fake\r\ncredit card form into the page.\r\nFigure 7. The eight languages of the fake credit card form inside the skimmer\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/\r\nPage 2 of 3\n\nFigure 7. The eight languages of the fake credit card form inside the skimmer\r\nWe were unable to find any strong connections to previous Magecart groups based on the network infrastructure or the\r\nmalicious code used in this attack. However, it’s possible that the threat actor behind this campaign was also involved in\r\nprevious campaigns.\r\nConclusion\r\nRecent incidents involving credit card skimmers like Magecart emphasize the need for businesses to secure their websites\r\nfrom potential compromise by implementing security best practices, which include regularly updating software to the latest\r\nversions and segregating networks to ensure that as little customer data as possible is exposed.\r\nFurthermore, users can consider using payment systems such as Apple Pay and Google Pay, which offer additional\r\nauthentication methods — minimizing the chance that attackers will be able to use the credit card even if they manage to\r\ncollect the card’s details. The following Trend Micro solutions protect users and businesses by blocking the scripts and\r\npreventing access to the malicious domains:\r\nTrend Micro™ Security\r\nSmart Protection Suites and Worry-Free™ Business Security\r\nTrend Micro Network Defense\r\nHybrid Cloud Security\r\nIndicators of Compromise (IoCs)\r\nSHA-256 Hash/ URL\r\nFile\r\nName\r\nDetails Detection name\r\nac58602d149305bd2331d555c15e6292bd5d09c34ade9e5eebb81e9ef1e7b312 gtm.js\r\nCredit\r\ncard\r\nskimmer\r\nTrojanSpy.JS.MAGECART\r\ngoogletrackmanager[.]com  \r\nMagecart\r\nDomain\r\n \r\nWith special thanks to our colleagues at abuse.ch and The Shadowserver Foundation for helping to take down the Magecart\r\ndomain.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/"
	],
	"report_names": [
		"magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434957,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/98a8f2b5b7f8b857c29ae388ac1eebfc6c8844d3.pdf",
		"text": "https://archive.orkl.eu/98a8f2b5b7f8b857c29ae388ac1eebfc6c8844d3.txt",
		"img": "https://archive.orkl.eu/98a8f2b5b7f8b857c29ae388ac1eebfc6c8844d3.jpg"
	}
}