RiskIQ, experts in digital risk management, have shown how just 22 lines of code managed to claim 380,000 victims in the recent British Airways data breach.
RiskIQ researchers have traced the breach of 380,000 sets of payment information belonging to customers of British Airways back to Magecart, the credit-card skimming group made infamous for its July breach of Ticketmaster.
Because the attack was reported by British Airways to be web-based and targeting credit card data, RiskIQ researchers strongly suspected Magecart was behind it. Leveraging the company's global web-crawling network, which maintains a map of the internet and enables security practitioners to analyse web pages and their components as they appear through time, they confirmed that assumption.
The attack was similar to the one levelled against Ticketmaster with one key difference: instead of compromising commonly used third-party functionality to gain access to hundreds of sites at once, Magecart operatives compromised the British Airways site directly and planned their attack around the site’s unique structure and functionality.
RiskIQ's data shows that scripts supporting the functionality of the payment forms on the British Airways’ website were copied and modified to deliver payment information to an attacker-controlled server while maintaining their intended functionality to avoid detection.
The attackers were also aware of the way the British Airways mobile app was constructed, leveraging the fact that it used much of the same functionality as the web-app and could, therefore, victimise users in the same way.
"This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Yonathan Klijnsma, head researcher at RiskIQ. "This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular."
The researchers also found evidence that Magecart operatives may have breached the British Airways site several days before the skimming began. RiskIQ web-crawling data shows that a certificate used on the attacker's command and control server was issued on August 15, nearly a week before the reported start date of the attack on August 21.
RiskIQ, which detects internet-scale threats, is alerted to new Magecart breaches hourly, a clear indication that the group is extremely active and a very real threat to all organisations offering online payment facilities.