RiskIQ: British Airways Breach Ties to Cybercrime GroupMagecart Gang Tweaked Script on BA's Server to Scrape Card Data, Researchers Say
The British Airways breach, in which up to 380,000 website and mobile users' payment card details were stolen, traces to card-scraping code injected into a script on the airline's website by the cybercrime group called Magecart, says security firm RiskIQ.
RiskIQ, which has been tracking Magecart since 2015, previously tied the group to the breach of Ticketmaster websites that came to light in June. In that case, RiskIQ says Magecart managed to sneak card-skimming code into a third-party tool used by Ticktmaster.
On Thursday, British Airways, which is part of Madrid-based International Airlines Group, warned that an attacker managed to steal up to 380,000 customers' payment card details. It says the breach began at 10:58 p.m. on Aug. 21, British Standard Time, and persisted until 9:45 p.m. on Sept. 5. (see Hacker Flies Away With British Airways Customer Data).
A British Airways spokesman, citing an ongoing law enforcement probe, declined to comment on RiskIQ's assertion that the airline's breach traces to Magecart. "As this is a criminal investigation, we are unable to comment on speculation," he tells Information Security Media Group.
British Airways has told all affected customers that it will cover any direct financial losses they suffer as a result of the breach. But on Monday, SPG Law, the U.K. branch of U.S. law giant Sanders Phillips Grossman, said that it was planning to launch a £500 million ($650 million) group action - aka class-action - lawsuit against British Airways. Under the EU's General Data Protection Regulation, breach victims have a right to non-material damage compensation. SPG Law says the airline should compensate victims for the "inconvenience, distress and misuse of their private information" caused by the breach.
Magecart specializes in what RiskIQ calls "digital skimmer" software, by which it means malicious code that's designed to scrape payment card data entered by an e-commerce website customer when they pay for a transaction.
"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites," Yonathan Klijnsma, a threat researcher at RiskIQ, explains in a blog post.
Looking at server headers, RiskIQ says the modified version of the script had a "last modified" date that appeared to be from around when the breach began. But the "clean" version of the script, it said, should have last been modified in December 2012.
Thanks to the script, attackers were able to send themselves a copy of specified fields after users entered payment card data, RiskIQ says. "Once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker's server," the security firm says.
To clear something up for those reporting on my latest story:— Yonathan Klijnsma (@ydklijnsma) September 11, 2018
Yes Modernizr is a 3rd party library but it was self hosted on the BA servers. This means the actors modified a script on the server which makes this a direct compromise of BA infrastructure, not a 3rd party.
Mobile App Called Script
"Often, when developers build a mobile app, they make an empty shell and load content from elsewhere," Klijnsma says. "In the case of British Airways, a portion of the app is native, but the majority of its functionality loads from web pages from the official British Airways website."
RiskIQ says attackers appear to have carefully constructed this attack, including hosting their attack infrastructure on a site called "baways.com" that was meant to look like the airline's actual site.
"The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection," Klijnsma says. In reality, however, bayways.com was "hosted on 18.104.22.168 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania," he says. "The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server."
RiskIQ says the Comodo certificate was issued on Aug. 15, before the breach reportedly began on Aug. 21. The security firm says attackers may well have had access to the airline's website well before they obtained the certificate.
RiskIQ previously tied the Magecart cybercrime gang to the breach of Ticketmaster websites (see Ticketmaster Breach Traces to Embedded Chatbot Software).
Ticketmaster warned on June 28 that malicious code had been planted in automated customer support chatbot software from Inbenta Technologies.
But RiskIQ says it believes that the Ticketmaster breach traces to a third-party marketing and analytics service, called SociaPlus, used by Ticketmaster. RiskIQ says Magecart appears to have snuck its attack code into SociPlus, and then later onto British Airway's website (see RiskIQ: Ticketmaster Hackers Compromised Widely Used Tools).
"Over time, they've optimized their tactics, culminating in successful breaches of third-party providers such as Inbenta, resulting in the theft of Ticketmaster customer data," Klijnsma says. "We're now seeing them target specific brands, crafting their attacks to match the functionality of specific sites, which we saw in the breach of British Airways."
Ticketmaster has not responded to a request for comment on that research.
RiskIQ says malicious software inserted into websites by Magecart may have breached as many as 800 other e-commerce sites.