San Francisco-based cybersecurity company RiskIQ says it has identified the precise malicious code used to steal payment details from 380,000 British Airways customers.
Basing their investigation off the limited public information from BA after the hack (that payments through its main website and mobile app were affected from 22:58 BST August 21 until 21:45 BST September 5) the company went through stored versions of individual scripts on BA’s pages to find changes in them over time.
RiskIQ: Domain Hosted in Romania
In a blog published this morning, RiskIQ’s Yonathan Klijnsma wrote: “In essence, the script is very simple and very effective. Here is a breakdown of what it does:
Once every element on the page finishes loading it will:
Bind the mouseupand touchend events on a button known as submitButton with the following callback-code:
Serialize the data in a form with id paymentForminto a dictionary
Serialize an item on the page with id personPayinginto the same dictionary as the paymentForminformation
Make a text-string out of this serialized data
Send the data in the form of JSON to a server hosted on com
“On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.”
Describing the attack as a “simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer” the company described this skimmer as “very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”
“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. The domain was hosted on 126.96.36.199 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server:”
CEO of global cybersecurity specialist SonicWall, Bill Conner, told Computer Business Review: “Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course.”
This article is from the CBROnline archive: some formatting and images may not be present.
Join Our Newsletter
Want more on technology leadership?
Sign up for Tech Monitor's weekly newsletter, Changelog, for the latest insight and analysis delivered straight to your inbox.