The recent British Airways breach of up to 380,000 payment cards, has been attributed to the infamous Magecart threat actor.
Last week, British Airways revealed that the bank card data was compromised after a security breach occurred on the company’s website and mobile app in August. While specifics were initially scant on how the breach occurred, on Tuesday, researchers at RiskIQ released findings in a post that point to the Magecart threat actor. Researchers report that the Magecart group added suspicious scripts on the baggage claim information page of the British Airways’ website – which then collected data from visitors and sent it back to the threat actors’ server.
Yonathan Klijnsma, threat researcher with RiskIQ, told Threatpost that the campaign can be attributed to Magecart with “medium-high confidence.”
“Magecart since 2017 has been running a campaign very similar to what happened to British Airways,” he said. “They’ve been setting up infrastructure to mimic victims or they would simply mimic ad or analytics providers to blend in. The British Airways attack was just an extension of that attack in our eyes.”
The Magecart group, in operation since 2015, has been blamed for an array of recent breaches, including one of the most prolific card-stealing operations seen in the wild to date, as well as a massive breach of Ticketmaster earlier in the year.
Because these incidents have been tracked and studied, Klijnsma said that RiskIQ has reported the use of web-based card skimmers operated by the Magecart since 2016 – so was familiar with the methods to look out for in this particular attack.
That method is utilizing digital card skimmers, which use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.
It’s essentially a digital variety of a traditional method criminals used – known as card skimmers— which are devices hidden within credit card readers on ATMs, fuel pumps and other machines to steal credit card data for the criminal to later collect.
The script collected data from two “events” (mouseup and touchend) and sent that data in the form of JSON to a server hosted on baways.com. That meant that when a user hits the button to submit their payment on the compromised British Airways site, the data from their payment card and their name is extracted and sent to the attacker’s server (a domain hosted on an IP located in Romania and part of a VPS provider named based in Lithuania).
The infrastructure used in the attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection, as exemplified with the tricky domain name, “baways.com,” said Klijnsma. “This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” he said. “This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”
In another interesting twist, while the breach was reported to have occurred between August 21 until September 5, according to the airline, the certificate the Magecart actors used was issued on August 15th, “which indicates they likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before,” Klijnsma said.
“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” Klijnsma said.
British Airways is still reeling from the breach, which included the name, address and bank card details (including the CVC code) and the name of who made bookings (via the ba.com website). After reporting the breach, the airline was threatened with a $650 million class-action lawsuitin U.K. court.
The breach has been resolved and the ba.com website is working normally, according to a notice on the company’s website. The airline told Threatpost it guarantees that financial losses suffered by customers directly because of the theft of this data from British Airways will be reimbursed, and is recommending that customers contact their bank or card provider if they made a booking or change to their booking between August 21 and September 5.
Klijnsma stressed that companies collecting sensitive financial data must consider the security of their forms, as well as the controls that influence what happens to payment information once a customer submits it. “While the Magecart attack against British Airways wasn’t a compromise of a third-party supplier like the attack on Ticketmaster, it does raise the question of payment form security,” he said.
Meanwhile, the incident also shows how the Magecart actor continues to evolve and grow as a threat group, particularly as they set sights on particular targets and add sneakier methods to avoid detection.
“We’re now seeing them target specific brands, crafting their attacks to match the functionality of specific sites, which we saw in the breach of British Airways,” Klijnsma said. “The Magecart actors have been active since 2015 and have never retreated from their chosen criminal activity. Instead, they have continually refined their tactics and targets to maximize the return on their efforts.”