A forensic analysis of the recent British Airways data breach has turned up evidence pointing to the involvement of Magecart, the same cybercriminal organization linked to a similar breach earlier this year affecting Ticketmaster.

Moreover, it appears as if Magecart customized the digital payment skimmer it typically uses against retail companies to specifically target the UK-based air carrier, investigative researchers from RiskIQ reported in a blog post yesterday. In particular, the attackers tailored their malicious tools to minimize their odds of detection upon injecting malicious scripts into British Airways’ standard and mobile web pages.

The end result: the perpetrators managed to steal personal and financial data pertaining to roughly 380,000 web and mobile customers between the dates of August 21 and Sept. 5.

RiskIQ observed signs of a Magecart compromise by observing various scripts on the British Airways website over time and inspecting them more closely when a change was detected. Ultimately, the researchers spotted a modification in the Modernizr JavaScript library, version 2.6.2, which was loaded British Airways’ baggage claim information page.

The alteration required a mere 22 lines of additional code, written in such a way to at first glance look like legit programming, including the use of a malicious domain named baways.com that actually is hosted on a Romanian IP address. The attackers also paid for an SSL certificate, which was issued on Aug. 15, suggesting they had compromised British Airways at least several days before the data exfiltration, if not more.

“The noted change was at the bottom of the script, a technique we often see when attackers modify JavaScript files to not break functionality,” wrote threat researcher and post author Yonathan Klijnsma. “We found more evidence in the server headers sent by the British Airways server. The servers send a ‘Last-Modified’ header, which indicates the last time a piece of static content was modified. The clean version of the Modernizr script had a timestamp from December 2012,” whereas the modified version’s timestamp “matches closely to the timestamp given by British Airways as the beginning of people getting victimized.”

Essentially, the malicious code enables the collection of data whenever a customer either releases a mouse button or removes their fingers from a touchscreen after pushing a button, including when they’re making a payment. The same script was also loaded whenever mobile British Airways customers visited a web page offering information about fees for different countries and airports. 

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” Klijnsma continued. “This particular skimmer is very much attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

British Airways has set up a web page providing details on the breach incident and last updated it today.