The British Airways hack involved a highly targeted approach using 22 lines of skimmer code by the group that compromised Ticketmaster. The British Airways hack boiled down to attackers using 22 lines of code for digital payment card skimming on the baggage claim page and resulted in 380,000 customers having their personal and payment information stolen between Aug. 21 and Sept. 5, 2018.RiskIQ head researcher Yonathan Klijnsma attributed the hack to the cybercriminal group dubbed Magecart – the same group of attackers responsible for the Ticketmaster UK breach.While apologizing for the customer data theft, British Airways’ boss Alex Cruz told the BBC that hackers pulled off a “sophisticated, malicious criminal attack.” Despite technical details being all but nonexistent in British Airways’ breach notification, experts say attackers used a “simple but highly targeted approach.”RiskIQ determined that instead of blindly injecting skimming code or using a compromised third party to steal payment data from British Airways, Magecart “carefully considered” how to go undetected and targeted scripts that would blend in with British Airways’ normal payment processing. In this highly targeted attack, the group used 22 lines of simple but very effective JavaScript on the baggage claim page to steal payment and other personal information from 380,000 British Airways’ customers who used either the website or the mobile app between Aug. 21 and Sept. 5.Klijnsma explained that RiskIQ crawls over 2 billion pages per day and receives hourly alerts of sites being compromised with Magecart’s skimmer code. Eventually the company found a JavaScript component, which loaded from the baggage claim information page on the British Airways site, with the date modified changed from December 2012 to August 21, 2018. Other than the changed timestamp, the group attempted to avoid detection by using a “custom, targeted infrastructure” to blend in with British Airways. They used the domain “baways.com” in the server path, as that could be short for British Airways. That domain, RiskIQ found, was hosted in Romania and is part of a provider based in Lithuania.Instead of using Let’s Encrypt for a free SSL certificate for their server, the attackers opted to pay for an SSL certificate from Comodo to make it appear more like a legitimate server. That certificate was issued on Aug. 15, 2018, which indicated that the Magecart attackers “likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late,” RiskIQ said.After analyzing the British Airways Android app, RiskIQ determined that the app loaded a mobile version of the main site for searching, booking, and managing flights. The malicious skimmer script allowed for touchscreen inputs, so it could steal sensitive information from mobile visitors, as well.Klijnsma concluded:While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.…Companies, especially those that collect sensitive financial data, must realize that they should consider the security of their forms—but also the controls that influence what happens to payment information once a customer submits it.Customers affected by the British Airways breach were advised to get a new credit card from their bank. Related content news Dow Jones watchlist of high-risk businesses, people found on unsecured database A Dow Jones watchlist of 2.4 million at-risk businesses, politicians, and individuals was left unprotected on public cloud server. By Ms. Smith Feb 28, 2019 4 mins Data Breach Hacking Security news Ransomware attacks hit Florida ISP, Australian cardiology group Ransomware attacks might be on the decline, but that doesn't mean we don't have new victims. A Florida ISP and an Australian cardiology group were hit recently. By Ms. Smith Feb 27, 2019 4 mins Ransomware Security news Bare-metal cloud servers vulnerable to Cloudborne flaw Researchers warn that firmware backdoors planted on bare-metal cloud servers could later be exploited to brick a different customer’s server, to steal their data, or for ransomware attacks. By Ms. Smith Feb 26, 2019 3 mins Cloud Computing Security news Meet the man-in-the-room attack: Hackers can invisibly eavesdrop on Bigscreen VR users Flaws in Bigscreen could allow 'invisible Peeping Tom' hackers to eavesdrop on Bigscreen VR users, to discreetly deliver malware payloads, to completely control victims' computers and even to start a worm infection spreading through VR By Ms. Smith Feb 21, 2019 4 mins Hacking Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe