View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 11, 2018

BA Hack: Precise Script, Threat Group Identified

RiskIQ blames Ticketmaster attacker "Magecart"

By CBR Staff Writer

San Francisco-based cybersecurity company RiskIQ says it has identified the precise malicious code used to steal payment details from 380,000 British Airways customers.

Blaming threat group Magecart, the team behind the massive Ticketmaster breach, along with other card skimming attacks, the company said the script was a modified version of the Modernizr JavaScript library, version 2.6.2.

RiskIQ crawls and stores terabytes of data from websites daily.

Basing their investigation off the limited public information from BA after the hack (that payments through its main website and mobile app were affected from 22:58 BST August 21 until 21:45 BST September 5) the company went through stored versions of individual scripts on BA’s pages to find changes in them over time.

It soon found the suspicious script.

RiskIQThe company said: “Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2 to be precise. The script was loaded from the baggage claim information page on the British Airways website: Only 22 lines of script victimized 380,000 people.”

RiskIQ: Domain Hosted in Romania 

In a blog published this morning, RiskIQ’s Yonathan Klijnsma wrote: “In essence, the script is very simple and very effective. Here is a breakdown of what it does:

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
  • Once every element on the page finishes loading it will:
    • Bind the mouseupand touchend events on a button known as submitButton with the following callback-code:
      • Serialize the data in a form with id paymentForminto a dictionary
      • Serialize an item on the page with id personPayinginto the same dictionary as the paymentForminformation
      • Make a text-string out of this serialized data
      • Send the data in the form of JSON to a server hosted on com

“On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.”


A cleaned up version of the script: Credit, RiskIQ

BA Hack: “Simple But Highly Targeted Approach”

Describing the attack as a “simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer” the company described this skimmer as “very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name as well as the drop server path. The domain was hosted on which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server:”

See also: The Ticketmaster Hack is Worse Than First Thought

CEO of global cybersecurity specialist SonicWall, Bill Conner, told Computer Business Review: “Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.