From airlines to hotel chains to activity aggregators, the travel
and hospitality industry has a bullseye on its back for Magecart attacks.
Two mid-sized hotel chains, with more than 180 hotel properties between
them, were victims of a Magecart attack in 2019 when a third-party supplier of
digital marketing services to both chains, Roomleader, was
compromised. Roomleader serves other hotel chains, so it's likely that other
Magecart attacks went undetected or were never disclosed.
On the airline front, British
Airways suffered a significant Magecart attack that was reported in the summer
of 2018, allowing cybercriminals to lift payment information for over 380,000
customers who had purchased flights or other travel services.
More broadly, Magecart attacks have proliferated over the past two
years. Since 2019, researchers have identified over
two million instances of Magecart attacks in the wild. The online travel segment is an
enticing target due to the sheer volume of people making purchases;
pre-pandemic, Euromonitor
had forecast nearly $1.5 trillion in online travel purchases per year by 2024,
accounting for 52% of all travel sales.
Magecart is the name for a growing number of malicious attacks
perpetrated by various hacker groups that target e-commerce websites and mobile
apps, including those of travel and hospitality companies, with digital
skimming attacks.
Subscribe to our newsletter below
In a Magecart incident, an attacker inserts unauthorized malicious
code into a company’s web application. The code could be injected into
first-party JavaScript code if the hacker somehow gains access to the site’s
codebase; this is what transpired in the British Airways attack.
Alternatively, the code could be inserted into third-party
JavaScript services or into open source libraries that together typically make
up over 70% of all website code today. The malicious code can access or modify
elements on a web page and skim user data including credit card numbers. The
modified code then sends the stolen data to a server somewhere in the world.
Researchers have identified
dozens of different types of JavaScript digital skimming exploits that
could be grouped under the Magecart umbrella.
This toxic attack type has resulted in billions of dollars of
damages and fines to travel sites: the British government fined British Airways
$27.5 million for allowing a Magecart attack to transpire over two weeks and
for not sufficiently protecting its site visitors and customers.
Guarding against Magecart attacks is exceptionally difficult
because there are so many places an attacker could hide code and so many ways
to hide unauthorized code modifications. Let’s look at how popular sites are
built and how the different components could translate into different potential
attack surfaces for Magecart. (These are example and do not mean these sites or
components have been compromised.)
The
third-party vendor
This is the page of an online travel agency that provides activity
and travel search as well as bookings on a global basis. Here is a screenshot
of the site’s shopping cart using DevTools (or “Inspector Mode”) to see the
site code. The blue bar is highlighting a JavaScript call-in to FlipDesk, a
customer service module that runs on this page as well as on pages where
payment data is requested. If FlipDesk was compromised, then the site owner
would struggle to notice any difference and the Magecart gangs would be able to
collect a huge volume of payment data. That being said, more sophisticated
Magecart attacks can sniff payment page data after infecting users from other
pages on a site or mobile app.
Hacking
directly into site code
In the case of RoomLeader, a provider of marketing and booking
services for hotel chains, researchers reported that malicious attackers hacked
directly into their site code. There the attackers installed a skimmer that
would harvest payment data from purchase pages accessed by mobile users.
You can see the attack script above. The Magecart attackers took
care to make their script resemble code for Google Tag Manager, a widely used
tag management system created by Google to manage JavaScript and HTML tags used
for tracking and analytics on websites. The attackers hid the attack further by
only delivering the skimmer attack and the fake payment page when it detected a
mobile browser agent - an indication that the user making the payment was on a
mobile phone.
Security researchers are
more likely to investigate websites on a desktop browser rather than a mobile
device, and this is one of many cloaking techniques used by Magecart attacks.
External
storage and CDNs can hide
This is another code snippet from a top OTA. The highlighted
section contains a tag loading a JavaScript from Amazon’s S3, Amazon’s online
web storage buckets. Many companies store scripts in S3 and access them
remotely. Unfortunately, if an Amazon S3 bucket is not properly secured or is
misconfigured, then Magecart attackers can easily modify content stored on
these buckets to turn them into skimming delivery systems. In April 2019, a Magecart
attack struck 17,000 Amazon S3 buckets.
Magecart attackers have also compromised content served by Content
Delivery Networks (CDNs). In one instance, the attack struck
customers using Amazon’s CloudFront CDN. It is
unclear if the attackers managed to manipulate the CDN settings, or if it is a
result of modification done to the origin server from which the CDN pulled the
data (in many cases for CloudFront it is an S3 bucket).
CDNs are networks that deliver commonly used pieces of content -
images and scripts, among other things - from a distributed network that caches
these elements closer to the end users. This makes applications and websites
load faster. OTAs often use CDNs to host JavaScript code to further accelerate
the actions that the JavaScript performs.
Travel must guard closely against Magecart attacks
These are just some of the vectors by which Magecart can attack
OTAs, airlines or other hospitality sites. There are many others. JavaScript is
omnipresent in websites and mobile applications. Wherever there is Javascript,
there is the potential for a Magecart attack.
In 2022, OTAs and other travel sites will be among the juiciest
targets due to the high volume of users entering financial data and the ongoing
replacement of offline purchases, which is faster and more evolved in travel
than some other areas of commerce.
These companies should take extra precautions to make sure that
their site code has not been modified. And they need to protect users to
safeguard their brands and avoid potentially large GDPR and CCPA fines by using
technology that can detect JavaScript behaving badly in live interactions and
identify skimming activity before it impacts real victims.
Magecart is taking off, hijacking more and more sites. OTAs and
travel sites can save themselves grief and major financial risk by acting in
advance to ground this threat.
About the author...
Avishai Shafir is director of product management at
PerimeterX.