The British Airways breach was the result of a highly targeted digital skimming attack by the same cybercrime group that compromised Ticketmaster and hundreds of other global e-commerce firms over the past year, according to experts.
RiskIQ has been following the notorious Magecart group since 2015 and recently alerted the industry about an evolution in its tactics, to focus on introducing malicious “skimming” code designed to exfiltrate users’ card details as they are typed into a site.
Although many of these attacks against some of the world’s biggest e-commerce brands were carried out by infecting a third-party software provider, the BA attack was targeted at the carrier itself rather than its supply chain, claimed Risk IQ in a new blog post today.
Threat researcher, Yonathan Klijnsma, explained that his team began by scanning BA web scripts over time to identify if any of them changed.
“Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2 to be precise,” he said. “The noted change was at the bottom of the script, a technique we often see when attackers modify JavaScript files to not break functionality.”
The script was apparently designed to extract info from the payment form as soon as soon as it was entered and send to the attacker’s server.
The timestamp for this modified script was August 21 at 20.49 local time, just hours before the attack began, although RiskIQ believes the attackers may have had access to the BA site far earlier, as the certificate they used for attack infrastructure was registered on August 15.
This was a highly targeted attack with the skimmer “attuned to how British Airway’s payment page is set up,” and maximum care was taken to avoid suspicion, Klijnsma explained.
“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path,” he said.
“The domain was hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server.”
The same compromised Modernizr JavaScript library was used to skim payment info from visitors to the BA mobile web site, modified slightly so data was taken as soon as the user’s finger left the touchscreen after pushing a payment button.
“While the Magecart attack against British Airways wasn’t a compromise of a third-party supplier like the attack on Ticketmaster, it does raise the question of payment form security,” concluded Klijnsma.
“Companies, especially those that collect sensitive financial data, must realize that they should consider the security of their forms — but also the controls that influence what happens to payment information once a customer submits it.”
Around 380,000 transactions are said to have been affected by the 16-day raid on the BA web site and app.