British Airways hack was by same group that compromised Ticketmaster

The British Airways hack boiled down to attackers using 22 lines of code for digital payment card skimming on the baggage claim page and resulted in 380,000 customers having their personal and payment information stolen between Aug. 21 and Sept. 5, 2018.

RiskIQ head researcher Yonathan Klijnsma attributed the hack to the cybercriminal group dubbed Magecart – the same group of attackers responsible for the Ticketmaster UK breach.

While apologizing for the customer data theft, British Airways’ boss Alex Cruz told the BBC that hackers pulled off a “sophisticated, malicious criminal attack.” Despite technical details being all but nonexistent in British Airways’ breach notification, experts say attackers used a “simple but highly targeted approach.”

RiskIQ determined that instead of blindly injecting skimming code or using a compromised third party to steal payment data from British Airways, Magecart “carefully considered” how to go undetected and targeted scripts that would blend in with British Airways’ normal payment processing.

In this highly targeted attack, the group used 22 lines of simple but very effective JavaScript on the baggage claim page to steal payment and other personal information from 380,000 British Airways’ customers who used either the website or the mobile app between Aug. 21 and Sept. 5.

Klijnsma explained that RiskIQ crawls over 2 billion pages per day and receives hourly alerts of sites being compromised with Magecart’s skimmer code. Eventually the company found a JavaScript component, which loaded from the baggage claim information page on the British Airways site, with the date modified changed from December 2012 to August 21, 2018.

Other than the changed timestamp, the group attempted to avoid detection by using a “custom, targeted infrastructure” to blend in with British Airways. They used the domain “baways.com” in the server path, as that could be short for British Airways. That domain, RiskIQ found, was hosted in Romania and is part of a provider based in Lithuania.

Instead of using Let’s Encrypt for a free SSL certificate for their server, the attackers opted to pay for an SSL certificate from Comodo to make it appear more like a legitimate server. That certificate was issued on Aug. 15, 2018, which indicated that the Magecart attackers “likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late,” RiskIQ said.

After analyzing the British Airways Android app, RiskIQ determined that the app loaded a mobile version of the main site for searching, booking, and managing flights. The malicious skimmer script allowed for touchscreen inputs, so it could steal sensitive information from mobile visitors, as well.

Klijnsma concluded:

While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.

…

Companies, especially those that collect sensitive financial data, must realize that they should consider the security of their forms—but also the controls that influence what happens to payment information once a customer submits it.

Customers affected by the British Airways breach were advised to get a new credit card from their bank.