BA hack: Magecart the suspect

US cyber-security firm RiskIQ said today its researchers have “traced the breach” of 380,000 sets of payment information belonging to customers of British Airways (BA) to Magecart – the credit-card skimming group made infamous for its July breach of Ticketmaster.

Background

International Airlines Group is one of the world's largest airline groups with 546 aircraft flying to 279 destinations and carrying around 105 million passengers each year. The IAG is the parent company of Aer Lingus, British Airways, Iberia and Vueling. It is a Spanish registered company with shares traded on the London Stock Exchange and Spanish Stock Exchanges.

Analysis

A cyber-security firm has said it found malicious code injected into the British Airways website, which could be the cause of a recent data breach that affected 380,000 transactions.

Risk IQ has advanced the theory that malicious code was planted on the airline’s payments page, via a modified version of the Modernizr JavaScript library. To carry out the attack in this way, hackers would have had to modify JavaScript files without hobbling its core functionality.

The added code then uploaded data to a server hosted on baways.com, according to Risk IQ. “The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection,” the firm said in a blog post. “The domain was hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate.”

The suspect code was loaded from BA’s baggage claim information page, Risk IQ claimed.

The info-stealing script on the web app was replicated on the mobile app. Based on the techniques and tactics employed in the hack, the security firm concluded it had been pulled off by a hacking crew called Magecart, which has been active since 2015 and was previously blamed for the recent Ticketmaster breach.

Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial. Hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers.

Such code may be needed to do specific jobs, such as authorise a payment or present ads to the user. But malicious code can be slipped in instead - this is known as a supply chain attack. In BA's case, hackers stole names, email addresses and credit card details - including the long number, expiry date and the three-digit CVV security code.

Risk IQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button. The cyber-security firm added that the attackers had apparently been able to gather data from mobile app users as well because the same script was found loaded into the app on a page describing government taxes and carrier charges. 

Risk IQ recommended that BA customers affected by the breach get a new debit or credit card from their bank. The firm pointed out that whoever was behind the attack had apparently decided to target specific brands and that more breaches of a similar nature were likely.

"There is a very clear emerging risk where the weakest link in payment processes is being actively targeted," cyber-security expert Kevin Beaumont told the BBC. "And that weakest link in the chain is often by placing older systems or third-party code into the payment chain."

According to Risk IQ, they also acquired a Secure Socket Layer (SSL) certificate - which suggests to web browsers, not always accurately, that a web page is safe to use.

Assessment

Our assessment is that as we have reported before, hackers try to find the weakest link in the chain in the supply chain and exploit it. We believe that hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers 

We feel that it was a payments system that was compromised with an advanced cyber-attack, that exploited a vulnerability in the payments system or its underlying servers.