A forensic analysis of the recent British Airways data breach has turned up evidence pointing to the involvement of Magecart, the same cybercriminal organization linked to a similar breach earlier this year affecting Ticketmaster.
Moreover, it appears as if Magecart customized the digital payment skimmer it typically uses against retail companies to specifically target the UK-based air carrier, investigative researchers from RiskIQ reported in a blog post yesterday. In particular, the attackers tailored their malicious tools to minimize their odds of detection upon injecting malicious scripts into British Airways’ standard and mobile web pages.
The end result: the perpetrators managed to steal personal and financial data pertaining to roughly 380,000 web and mobile customers between the dates of August 21 and Sept. 5.
The alteration required a mere 22 lines of additional code, written in such a way to at first glance look like legit programming, including the use of a malicious domain named baways.com that actually is hosted on a Romanian IP address. The attackers also paid for an SSL certificate, which was issued on Aug. 15, suggesting they had compromised British Airways at least several days before the data exfiltration, if not more.
Essentially, the malicious code enables the collection of data whenever a customer either releases a mouse button or removes their fingers from a touchscreen after pushing a button, including when they’re making a payment. The same script was also loaded whenever mobile British Airways customers visited a web page offering information about fees for different countries and airports.
“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” Klijnsma continued. “This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”
British Airways has set up a web page providing details on the breach incident and last updated it today.