A cyber-criminal operation known as Magecart is believed to have been behind the recent card breach announced last week by British Airways.
The group has been very active in the past three years, being blamed for injecting card skimming scripts on thousands of sites, with the most recent trove of compromised sites being discovered two weeks ago.
Of all its hacks, the most notorious incident was when the group compromised a third-party chat provider and used its infrastructure to drop malicious scripts on the Ticketmaster checkout page.
But in a report published today, researchers at RiskIQ say they found clues linking the same Magecart operation to the British Airways breach.
This breach was announced last week when British Airways said that an unidentified hacker compromised its systems and stole the card details of over 380,000 users.
The UK airline did not provide in-depth technical details but only revealed that the attacker collected information on payments made through its main website at ba.com, and from its mobile app, between 22:58 GMT August 21, 2018, and 21:45 GMT September 5, 2018.
But RiskIQ experts say the time period that British Airways provided in its official statement became an essential clue for its investigation.
Researchers say they found that a file that had previously not been modified since 2012 was changed on August 21, 2018, at 20:49 GMT, two hours before the date provided in the British Airways press release.
Also: 7 tips for SMBs to improve data security TechRepublic
RiskIQ says the Magecart group added a malicious piece of code at the end of a previously clean file named modernizr-2.6.2.js.
This piece of code monitored for certain mouse-up and touch-up interactions, extracted any data entered in the checkout page payment form, and sent it to a remote server located in Romania (actually owned by a Lithuanian virtual private server [VPS] provider).
This server was also using a Comodo certificate registered days before the hack, on August 15. According to RiskIQ, this certificate reveals the attackers had time to prepare the hack days before it began, which also means they most likely had access to the British Airways website infrastructure by that time as well.
Furthermore, RiskIQ experts also said they solved the mystery of why the compromise took place on both the main British Airways website and the mobile app at the same time.
Credit card skimming scripts usually affect only websites, mainly because mobile apps are managed from a different codebase. But according to RiskIQ, British Airways devs opted to load the website's payment interface inside the mobile app, meaning that the official app also loaded the malicious card skimmer script as well, hence the reason why payments from the mobile app were also recorded.
With the Magecart operation growing in size each year, it is becoming increasingly dangerous to pay for goods online, even on larger platforms owned by companies that should, at least in theory, afford to secure their websites from compromise.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.