The British Airways breach was the work of a well-known criminal group dubbed Magecart, which managed to put payment card skimming code on the company’s website, says RiskIQ researcher Yonathan Klijnsma.
The group has been compromising online shops left and right for years and its most recent known target before British Airways was Ticketmaster. They use the stolen information to perform card-not-present fraud and employ mules to reship thusly bought high-priced goods to addresses in Eastern Europe.
Klijnsma says that the Magecart attackers customized the skimming script to make it less obvious and set up an infrastructure that would blend in with normal payment processing to avoid detection: the grabbed information was sent to a domain named baways.com and the actors loaded the server with an SSL certificate.
“What is interesting to note from the certificate the Magecart actors used is that it was issued on August 15th, which indicates they likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late,” he notes.
“The attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”
And since the BA mobile application loads content from the website, the skimming script worked to steal the info provided by mobile users.
“One thing to note is that the magecart actor(s) put in the touchend callback in the skimmer to make it work for mobile visitors as well, which again shows us the high level of planning and attention to detail displayed in this simple yet extremely effective attack,” he points out.
“While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.”
Look out for scams
British Airways has updated the page they set up to provide information to affected customers and confirmed that phone number information has not been impacted, that PayPal and Apple Pay account information has not been compromised.
Saved payment card data has also not been compromised, except in cases where a customer made a payment using a saved card on ba.com or the mobile app.
The company has also warned affected customers to be on the lookout for phishing attacks (either via phone or email) leveraging the stolen information and to be conscious of signs that may indicate that they might have been a victim of identity theft.
These include receiving bills or receipts for goods or services they haven’t ordered, refused requests for financial services, credit cards or a loan despite having a good credit rating, refused requests for state benefits (because someone else is already claiming them in the target’s name), receiving letters from solicitors or debt collectors for debts that aren’t theirs, etc.