Card Not Present Fraud , Cybercrime , Fraud Management & Cybercrime

RiskIQ: British Airways Breach Ties to Cybercrime Group

Magecart Gang Tweaked Script on BA's Server to Scrape Card Data, Researchers Say
RiskIQ: British Airways Breach Ties to Cybercrime Group
Security firm RiskIQ says hackers appear to have added these 22 lines of JavaScript to a British Airways server, allowing them to steal payment card data.

The British Airways breach, in which up to 380,000 website and mobile users' payment card details were stolen, traces to card-scraping code injected into a script on the airline's website by the cybercrime group called Magecart, says security firm RiskIQ.

See Also: Gartner Guide for Digital Forensics and Incident Response

RiskIQ, which has been tracking Magecart since 2015, previously tied the group to the breach of Ticketmaster websites that came to light in June. In that case, RiskIQ says Magecart managed to sneak card-skimming code into a third-party tool used by Ticktmaster.

On Thursday, British Airways, which is part of Madrid-based International Airlines Group, warned that an attacker managed to steal up to 380,000 customers' payment card details. It says the breach began at 10:58 p.m. on Aug. 21, British Standard Time, and persisted until 9:45 p.m. on Sept. 5. (see Hacker Flies Away With British Airways Customer Data).

A British Airways spokesman, citing an ongoing law enforcement probe, declined to comment on RiskIQ's assertion that the airline's breach traces to Magecart. "As this is a criminal investigation, we are unable to comment on speculation," he tells Information Security Media Group.

British Airways has told all affected customers that it will cover any direct financial losses they suffer as a result of the breach. But on Monday, SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman, said that it was planning to launch a £500 million ($650 million) group action - aka class-action - lawsuit against British Airways. Under the EU's General Data Protection Regulation, breach victims have a right to non-material damage compensation. SPG Law says the airline should compensate victims for the "inconvenience, distress and misuse of their private information" caused by the breach.

Researchers Recover Tweaked JavaScript

Magecart specializes in what RiskIQ calls "digital skimmer" software, by which it means malicious code that's designed to scrape payment card data entered by an e-commerce website customer when they pay for a transaction.

"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites," Yonathan Klijnsma, a threat researcher at RiskIQ, explains in a blog post.

RiskIQ says the British Airways website, plus the booking page, results in 30 different scripts being loaded, each of which can run to thousands of lines of code. Comparing scripts on the site before and after the airline's breach notification, Klijnsma says RiskIQ found that one script was "a modified version of the Modernizr JavaScript library, version 2.6.2 to be precise," that "was loaded from the baggage claim information page on the British Airways website."

RiskIQ's Klijnsma says the changes to the script were added to the bottom, which is "a technique we often see when attackers modify JavaScript files to not break functionality."

Looking at server headers, RiskIQ says the modified version of the script had a "last modified" date that appeared to be from around when the breach began. But the "clean" version of the script, it said, should have last been modified in December 2012.

Clean version of the compromised script (Source: RiskIQ)
The modified version of script appears to align closely with when BA says its breach began. (Source: RiskIQ)

Thanks to the script, attackers were able to send themselves a copy of specified fields after users entered payment card data, RiskIQ says. "Once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker's server," the security firm says.

Mobile App Called Script

British Airway's mobile apps also appear to have loaded the same JavaScript components when it came time for customers to pay.

RiskIQ says it found the modified, malicious JavaScript got called from BA's mobile app, including this page.

"Often, when developers build a mobile app, they make an empty shell and load content from elsewhere," Klijnsma says. "In the case of British Airways, a portion of the app is native, but the majority of its functionality loads from web pages from the official British Airways website."

RiskIQ says attackers appear to have carefully constructed this attack, including hosting their attack infrastructure on a site called "baways.com" that was meant to look like the airline's actual site.

"The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection," Klijnsma says. In reality, however, bayways.com was "hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania," he says. "The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server."

RiskIQ says the Comodo certificate was issued on Aug. 15, before the breach reportedly began on Aug. 21. The security firm says attackers may well have had access to the airline's website well before they obtained the certificate.

Ticketmaster Breach

RiskIQ previously tied the Magecart cybercrime gang to the breach of Ticketmaster websites (see Ticketmaster Breach Traces to Embedded Chatbot Software).

Ticketmaster warned on June 28 that malicious code had been planted in automated customer support chatbot software from Inbenta Technologies.

But RiskIQ says it believes that the Ticketmaster breach traces to a third-party marketing and analytics service, called SociaPlus, used by Ticketmaster. RiskIQ says Magecart appears to have snuck its attack code into SociPlus, and then later onto British Airway's website (see RiskIQ: Ticketmaster Hackers Compromised Widely Used Tools).

"Over time, they've optimized their tactics, culminating in successful breaches of third-party providers such as Inbenta, resulting in the theft of Ticketmaster customer data," Klijnsma says. "We're now seeing them target specific brands, crafting their attacks to match the functionality of specific sites, which we saw in the breach of British Airways."

Ticketmaster has not responded to a request for comment on that research.

RiskIQ says malicious software inserted into websites by Magecart may have breached as many as 800 other e-commerce sites.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.