The Many Ways Magecart Can Hack Travel Sites

From airlines to hotel chains to business aggregators, the travel and hospitality industry has a target in the back for Magecart attacks.

Two mid-sized hotel chains, with more than 180 hotel properties between them, fell victim to a Magecart attack in 2019 when a third-party digital marketing service provider to the two chains, Roomleader, was compromised. Roomleader serves other hotel chains, so it’s likely that other Magecart attacks went undetected or never disclosed.

On the airline side, British Airways suffered a major Magecart attack that was reported in the summer of 2018, allowing cybercriminals to remove payment information from more than 380,000 customers who had purchased flights or other services from trip.

More broadly, Magecart attacks have multiplied over the past two years. As of 2019, researchers have identified more than two million Magecart attacks in the wild. The online travel segment is an attractive target due to the sheer volume of people shopping; before the pandemic, Euromonitor had forecast nearly $ 1.5 trillion in online travel purchases per year by 2024, accounting for 52% of all travel sales.

Magecart is the name of a growing number of malicious attacks by various hacker groups that target e-commerce websites and mobile applications, including those of travel and hospitality companies, with attacks from digital skimming.

In a Magecart incident, an attacker inserts unauthorized malicious code into a company’s web application. The code could be injected into proprietary JavaScript code if the hacker somehow gains access to the site’s code base; this is what happened during the attack on British Airways.

Alternatively, the code could be inserted into third-party JavaScript services or open source libraries which together typically make up over 70% of all website code today. The malicious code can access or modify items on a web page and browse user data, including credit card numbers. The modified code then sends the stolen data to a server somewhere in the world. Researchers identified dozens of different types of JavaScript digital skimming exploits that could be grouped under the Magecart umbrella.

This type of toxic attack has resulted in billions of dollars in damage and fines on travel sites: the UK government fined British Airways $ 27.5 million for allowing a Magecart attack to occur. take place for two weeks and for not having sufficiently protected visitors and customers of its site.

Protecting yourself against Magecart attacks is exceptionally difficult because there are so many places an attacker could hide code and so many ways to hide unauthorized code changes. Let’s take a look at how popular sites are built and how the different components could translate into different potential attack surfaces for Magecart. (These are examples and do not mean that these sites or components have been compromised.)

The third-party provider

This is the page of an online travel agency that offers activity and travel search and reservations on a global basis. Here is a screenshot of the shopping cart from the site using DevTools (or “Inspector Mode”) to see the site code. The blue bar highlights a JavaScript call to FlipDesk, a customer service module that runs on this page as well as on pages where payment data is requested. If FlipDesk were compromised, the site owner would have a hard time noticing the slightest difference and the Magecart gangs would be able to collect a huge volume of payment data. That being said, more sophisticated Magecart attacks can sniff data on payment pages after infecting users from other pages of a site or mobile app.

Direct hacking into the site code

In the case of RoomLeader, a marketing and reservation service provider for hotel chains, researchers reported that malicious attackers had directly hacked into their site’s code. There, the attackers installed a skimmer that would harvest payment data from the shopping pages viewed by mobile users.

You can see the attack script above. Magecart attackers were careful to make their script look like code from Google Tag Manager, a widely used tag management system created by Google to handle JavaScript and HTML tags used for tracking and analysis on Web sites. Attackers further concealed the attack by not delivering the skimmer attack and fake payment page until a mobile browser agent was detected, indicating that the user making the payment was on a mobile phone. .

Security researchers are more likely to investigate websites on a desktop browser rather than a mobile device, and this is one of the many concealment techniques used by Magecart attacks.

External storage and CDNs can hide

This is another snippet of a leading OTA. The highlighted section contains a tag loading JavaScript code from Amazon S3, Amazon’s online web storage buckets. Many companies store scripts in S3 and access them remotely. Unfortunately, if an Amazon S3 bucket is not properly secured or is misconfigured, Magecart attackers can easily modify the content stored on these compartments to turn them into skimming delivery systems. In April 2019, a Magecart attack affected 17,000 Amazon S3 compartments.

Magecart attackers also compromised the content served by content delivery networks (CDNs). In one case, the attack hit customers using Amazon’s CloudFront CDN. It is not clear whether the attackers were successful in manipulating the CDN settings, or if this was a change to the origin server from which the CDN extracted data (in many cases, for CloudFront, this is an S3 bucket).

CDNs are networks that deliver commonly used content items – images and scripts, among others – from a distributed network that caches those items closer to end users. This speeds up the loading of apps and websites. OTAs often use CDNs to host JavaScript code to further speed up actions performed by JavaScript.

Travel must protect itself closely against attacks from Magecart

These are just a few of the vectors through which Magecart can attack OTAs, airlines or other hotel sites. There are many more. JavaScript is ubiquitous in websites and mobile apps. Wherever there is JavaScript, there is the potential for a Magecart attack.

In 2022, OTAs and other travel sites will be among the juiciest targets due to the high volume of users entering financial data and the continued replacement of offline shopping, which is faster and more evolved in travel than some. other areas of commerce.

These companies should take extra care to ensure that their site code has not been changed. And they must protect users to protect their brands and avoid potentially large GDPR and CCPA fines by using technology that can detect JavaScript bad behavior in live interactions and identify skimming activity before it happens. ‘it does not affect real victims.

Magecart takes off, hijacking more and more sites. OTAs and travel sites can save themselves major financial problems and risks by acting in advance to anchor this threat.

About the Author…

Avishai Shafir is Director of Product Management at PerimeterX.