The responsible of the recently disclosed British Airways data breach is a crime gang tracked as MageCart. The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.
This script records keystrokes from customers and sends them to a server controlled by the attacker.
Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.
According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.
The hackers used a dedicated infrastructure for this specific attack against the airline.
“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.” reads the analysis published by RiskIQ.
“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. “
Experts analyzed all the scripts loaded by the website and searched for any evidence of recent changes.
The malicious script was loaded from the baggage claim information page on the British Airways website, the code added by the attackers allowed Modernizr to send payment information from the customer to the attacker’s server.
The script allowed the attacker to steal users’ data from both the website and the mobile app.
The data stolen from the British Airways was sent in the form of JSON to a server hosted on baways.com that resembles the legitimate domain used by the airline.
The attackers purchased an SSL certificate from Comodo to avoid raising suspicion.
“The domain was hosted on 18.104.22.168 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server:” continues RiskIQ.
At the time it is still unclear how MageCart managed to inject the malicious code in the British Airways website.
“As we’ve seen in this attack, Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.” concludes RiskIQ.