The Magecart group modified site scripts to steal details directly from BA’s site and app, even using a legitimate-looking security certificate
Security researchers say they have discovered “skimming” code on British Airways’ website and in the code that powers its mobile app, apparently revealing the technique by which hundreds of thousands of payment cards were compromised over a two-week period beginning in late August.
BA said earlier this month that some 380,000 transactions were affected by the scam, which stole detailed payment card information.
The airline hasn’t revealed how it believes the attack was carried out, but in statements at the time mentioned only its website and app, and did not indicate a compromise of its back-end servers.
Online card skimming
Computer security firm RiskIQ said this statement led it to suspect a “skimming” group called Magecart.
The group, active since 2015, specialises in an online variation of the card skimming incidents better known for affecting physical point-of-sale terminals at large retailers such as Target and Best Buy.
San Francisco-based RiskIQ said Magecart’s automated online skimming attacks are so widespread that the company detects about one newly compromised site every hour.
The attack works by collecting data entered into online web forms and transmitting it to a third-party server controlled by the attacker, meaning card data can be stolen even if the vendor doesn’t store the information.
In this case, RiskIQ wasn’t able to find Magecart’s standard attack code on BA’s site.
In analysing automatically scanned copies of BA’s web code from August, however, the firm found that one of the scripts used on the site had been modified to include extra code.
This code proved to be a version of Magecart’s skimming tool that had been specifically modified to run on BA’s site.
“This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” wrote RiskIQ researcher Yonathan Klijnsma in a report.
The script sent the card data it collected to a third-party server called baways.com, evidently chosen because the name resembles that of an official British Airways site.
In fact, the domain was hosted in Romania by a virtual private server (VPS) firm based in Lithania.
The attackers also went the extra mile to obtain a legitimate-looking SSL certificate from Comodo, further evidence of the planning that went into the attack, RiskIQ said.
BA’s app transactions were also compromised because the app loads its functional content from BA’s website, using an exact copy of the main web transaction page that at the time included the Magecart skimming code, RiskIQ said.
RiskIQ warned that companies collecting sensitive data must consider the security of the online forms they use, as well as that of the scripts that control what happens to the data.
It advised the affected BA customers to obtain new bank cards.
“Magecart is an active threat that operates at a scale and breadth that rivals—or possibly surpasses—the recent compromises of point-of-sale systems of retail giants such as Home Depot and Target,” Klijnsma wrote.
“The Magecart actors… have continually refined their tactics and targets. We’re now seeing them target specific brands, crafting their attacks to match the functionality of specific sites.”
BA and the UK’s National Crime Agency declined to provide comment on an ongoing investigation.
“As this is a criminal investigation, we are unable to comment on speculation,” BA said in a statement.
The UK’s National Cyber Security Centre (NCSC) said at the time that the breach was disclosed that it was also involved in investigating the case.
“We are working with partners to better understand this incident and how it has affected customers,” the NCSC said at the time.