Experts Comments On Magecart Attack On Hotel Websites Through The Supply Chain

Roomleader, a digital marketing and web development services provider that helps hospitality companies build out their online booking functionality through their library module which saves viewed hotel information in visitors’ browser cookies, was the victim of a magecart attack according to a Trend Micro Report. The hackers injected malicious code into Roomleader’s “Viewed Hotels” module initiating a supply chain attack that has so far infected two hotel chains, one with 107 hotels in 14 countries and the other has 73 hotels in 14 countries


EXPERTS COMMENTS
Usman Rahim, Digital Security and Operations Manager,  The Media Trust
September 20, 2019
The only way to protect users is to know who’s providing what code and what that code does to users.
Managing the digital supply chain is difficult because it requires the right tools and expertise. When third party code suppliers deliver code to users through browser and not through a tool that the website publisher/owner uses, the owner has little control of what happens and can't monitor when something's afoot. If a third party provides or supports the web application, iframes will fall victim to attack. The only way to protect users is to know who’s providing what code and what that code does to users.
Matan Or-El, Co-Founder and CEO,  Panorays
September 20, 2019
To avoid these attacks, organizations obviously need to do a better job securing their own servers.
This latest attack on Roomleader shows that Magecart isn’t going away anytime soon. The attack was designed to steal data from payment forms, including credit card details, names and addresses. To accomplish this, attackers even went so far as to translate their fraudulent forms into eight different languages and create a replacement form that asked for Card Verification Code (CVC) numbers. To avoid these attacks, organizations obviously need to do a better job securing their own servers. However, even organizations that look after their own servers' security can become exposed through third-parties. Clearly, organizations must make it a priority to assess and manage the risk associated with third-parties in their cyber supply chain.

If you are an expert on this topic:

Dot Your Expert Comments

SUBSCRIBE to alert when new comments are posted on this news. :



Join the Conversation

Join the Conversation


In this article