The many ways Magecart can hack travel sites

From airlines to hotel chains to activity aggregators, the travel and hospitality industry has a bullseye on its back for Magecart attacks.

Two mid-sized hotel chains, with more than 180 hotel properties between them, were victims of a Magecart attack in 2019 when a third-party supplier of digital marketing services to both chains, Roomleader, was compromised. Roomleader serves other hotel chains, so it's likely that other Magecart attacks went undetected or were never disclosed.

On the airline front, British Airways suffered a significant Magecart attack that was reported in the summer of 2018, allowing cybercriminals to lift payment information for over 380,000 customers who had purchased flights or other travel services.

More broadly, Magecart attacks have proliferated over the past two years. Since 2019, researchers have identified over two million instances of Magecart attacks in the wild. The online travel segment is an enticing target due to the sheer volume of people making purchases; pre-pandemic, Euromonitor had forecast nearly $1.5 trillion in online travel purchases per year by 2024, accounting for 52% of all travel sales.

Magecart is the name for a growing number of malicious attacks perpetrated by various hacker groups that target e-commerce websites and mobile apps, including those of travel and hospitality companies, with digital skimming attacks.

In a Magecart incident, an attacker inserts unauthorized malicious code into a company’s web application. The code could be injected into first-party JavaScript code if the hacker somehow gains access to the site’s codebase; this is what transpired in the British Airways attack.

Alternatively, the code could be inserted into third-party JavaScript services or into open source libraries that together typically make up over 70% of all website code today. The malicious code can access or modify elements on a web page and skim user data including credit card numbers. The modified code then sends the stolen data to a server somewhere in the world. Researchers have identified dozens of different types of JavaScript digital skimming exploits that could be grouped under the Magecart umbrella.

This toxic attack type has resulted in billions of dollars of damages and fines to travel sites: the British government fined British Airways $27.5 million for allowing a Magecart attack to transpire over two weeks and for not sufficiently protecting its site visitors and customers. 

Guarding against Magecart attacks is exceptionally difficult because there are so many places an attacker could hide code and so many ways to hide unauthorized code modifications. Let’s look at how popular sites are built and how the different components could translate into different potential attack surfaces for Magecart. (These are example and do not mean these sites or components have been compromised.)

The third-party vendor

This is the page of an online travel agency that provides activity and travel search as well as bookings on a global basis. Here is a screenshot of the site’s shopping cart using DevTools (or “Inspector Mode”) to see the site code. The blue bar is highlighting a JavaScript call-in to FlipDesk, a customer service module that runs on this page as well as on pages where payment data is requested. If FlipDesk was compromised, then the site owner would struggle to notice any difference and the Magecart gangs would be able to collect a huge volume of payment data. That being said, more sophisticated Magecart attacks can sniff payment page data after infecting users from other pages on a site or mobile app.

Hacking directly into site code

In the case of RoomLeader, a provider of marketing and booking services for hotel chains, researchers reported that malicious attackers hacked directly into their site code. There the attackers installed a skimmer that would harvest payment data from purchase pages accessed by mobile users.

You can see the attack script above. The Magecart attackers took care to make their script resemble code for Google Tag Manager, a widely used tag management system created by Google to manage JavaScript and HTML tags used for tracking and analytics on websites. The attackers hid the attack further by only delivering the skimmer attack and the fake payment page when it detected a mobile browser agent - an indication that the user making the payment was on a mobile phone.

Security researchers are more likely to investigate websites on a desktop browser rather than a mobile device, and this is one of many cloaking techniques used by Magecart attacks.

External storage and CDNs can hide

This is another code snippet from a top OTA. The highlighted section contains a tag loading a JavaScript from Amazon’s S3, Amazon’s online web storage buckets. Many companies store scripts in S3 and access them remotely. Unfortunately, if an Amazon S3 bucket is not properly secured or is misconfigured, then Magecart attackers can easily modify content stored on these buckets to turn them into skimming delivery systems. In April 2019, a Magecart attack struck 17,000 Amazon S3 buckets.

Magecart attackers have also compromised content served by Content Delivery Networks (CDNs). In one instance, the attack struck customers using Amazon’s CloudFront CDN. It is unclear if the attackers managed to manipulate the CDN settings, or if it is a result of modification done to the origin server from which the CDN pulled the data (in many cases for CloudFront it is an S3 bucket).

CDNs are networks that deliver commonly used pieces of content - images and scripts, among other things - from a distributed network that caches these elements closer to the end users. This makes applications and websites load faster. OTAs often use CDNs to host JavaScript code to further accelerate the actions that the JavaScript performs. 

Travel must guard closely against Magecart attacks 

These are just some of the vectors by which Magecart can attack OTAs, airlines or other hospitality sites. There are many others. JavaScript is omnipresent in websites and mobile applications. Wherever there is Javascript, there is the potential for a Magecart attack.

In 2022, OTAs and other travel sites will be among the juiciest targets due to the high volume of users entering financial data and the ongoing replacement of offline purchases, which is faster and more evolved in travel than some other areas of commerce.

These companies should take extra precautions to make sure that their site code has not been modified. And they need to protect users to safeguard their brands and avoid potentially large GDPR and CCPA fines by using technology that can detect JavaScript behaving badly in live interactions and identify skimming activity before it impacts real victims.

Magecart is taking off, hijacking more and more sites. OTAs and travel sites can save themselves grief and major financial risk by acting in advance to ground this threat.