Magecart Monthly: New Targets – Hospitality, Transport and Retail Industries

Here’s the latest news on Magecart and other website attacks! We’ve trawled the web for the latest news of data breaches, including updates on previous attacks with insights from our own Security Researcher.

Latest News:

  • Hotel Chains
  • Garmin SA
  • Fragrance Direct

Hotel Chains

2 unnamed hotel chains with more than 180 locations across 14 countries have fallen victim to Magecart. SC Magazine reported the incident in which the hotel websites were compromised by a third-party supply chain attack.

Roomleader, a Barcelona-based digital marketing and web development firm, is the third-party responsible for the vulnerability. Both hotel websites were developed by Roomleader, a company that helps hotels build their online booking websites. The malicious code was injected into the script of Roomleader’s module called ‘viewedHotels’. 

The attack loaded JavaScript from the URL hxxps://googletrackmanager[.]com/gtm[.]js. The URL is imitating a legitimate URL used by Google Tag Manager. The attackers used malicious code programmed to only deliver the skimmer to mobile users of the site. This attack was sophisticated with the attackers programming the code to replace the normal payment method. They also went as far as translating the malicious forms into eight different languages to match the languages supported by the hotel websites. It is currently unknown how many customers were affected by this attack. 

Injected Script in the JavaScript Library – Photo Courtesy of Trend Micro

The hospitality industry has had its fair share of cybersecurity issues. In November 2018 Marriott revealed private information of approximately 339 million guests including names, addresses, phone numbers, passport numbers, and emails. The ICO intends to fine the hotel chain £99.2m. Information Commissioner, Elizabeth Denham explains “The GDPR makes it clear that organisations must be accountable for the personal data they hold.” As an industry which handles a large amount of data, the hospitality industry needs to continuously monitor and update their website security policies to protect customer’s data. 


Public transport company SEPTA have had their online store compromised for 25 days. The Philadelphia Inquirer reported the attack explaining that had been infected with malicious code. The site was used to make ticket purchases and also sold SEPTA merchandise. SEPTA spokesperson Andrew Busch said “It wasn’t heavily used.” However from June 21st to July 16th, when the site was compromised, 761 customers had their personal and financial information stolen. 

The attack came to SEPTA’s attention on July 16th after a customer received a malware warning whilst using the site. SEPTA shut down the affected site within an hour of discovering the attack and worked with an IT Consultant to quickly identify the source. Although SEPTA acted quickly to identify the attack, it took almost two months before affected customers were notified. 

One customer explained that their card had already been used in fraudulent activities. He commented that SEPTA’s delay in notifying him of the information theft was frustrating. “I do feel dissatisfied,” he said. “They should have told me earlier.” Busch explained “What took us some time was making sure we had accurate information on individuals who were affected” going on to say “It takes some time to get your hands around it.” 

RapidSpike’s Security Researcher had the following to say; “Although dealing with the aftermath of a data breach can be extensive, SEPTA’s response to the data breach is disappointing. SEPTA are fortunate they had a customer using malware protection software or this breach could have continued for months or even years. SEPTA need to take responsibility for their customer’s data, however few there are. 

The company did not make adequate notices to their customers. Had this been done quicker, it could have prevented fraudulent activity and unnecessary stress for customers. Recommendations for SEPTA would be for them to monitor their critical JavaScript files and consult with cybersecurity specialists on how they should move forward with their website’s security methods.”

Garmin SA

On the 12th September, Bleeping Computer reported Garmin South Africa (SA) disclosed malicious activity was found on their shopping site portal. Jennifer Van Niekerk, SA Managing Director, announced“We recently discovered theft of customer data from orders placed through (operated by Garmin South Africa) that compromised your personal data related to an order that you placed through the website”. site portal in maintenance mode

At the time of writing this article, the Garmin SA website portal is still in maintenance mode. Garmin did confirm this incident is limited to their South Africa website and did not affect their other websites. Information stolen includes names, email addresses, phone numbers, addresses, and payment details. A Garmin spokesperson confirmed that their site portal, operated by a third-party, was compromised by a card skimming script which affected 6,700 South African customers. Garmin issued an apology to customers stating; “As a valued customer, we apologize for this incident and assure you that Garmin takes our obligation to safeguard personal data very seriously.”

Fragrance Direct

On 27th September, The Register reported that Fragrance Direct’s website has been compromised in the latest Magecart attack. Macclesfield-based company, confirmed the attack stating; “We recently discovered that some of our user data may have been compromised as a result of unauthorised access to our website by a malicious third party”.

A digital security firm has been hired to assist with dealing with the incident, once an investigation was undertaken, they quickly found the source of the problem and “have taken the necessary steps to address the issue”.

Fragrance Direct have reported the data breach to the ICO and the ICO responded stating; “Fragrance Direct has reported an incident to us and we will assess the information provided”. Fragrance Direct have also informed all affected customers and provided an apology, however, the details of the incident including number of customers affected, are yet to be released.

RapidSpike security researchers have taken the time to investigate all Magecart attacks mentioned. We can confidently say our Data Breach Monitor would have detected every attack. Learn more about our Data Breach Monitor.

Detect website skimming, formjacking and supply chain attacks. Easily protect against unauthorised changes to your critical JavaScript files with RapidSpike Data Breach Monitor.

Other Security News: