Sign up for our newsletter - Navigating the horizon of business technology​
Technology / Cybersecurity

BA Hack: Precise Script, Threat Group Identified

San Francisco-based cybersecurity company RiskIQ says it has identified the precise malicious code used to steal payment details from 380,000 British Airways customers.

Blaming threat group Magecart, the team behind the massive Ticketmaster breach, along with other card skimming attacks, the company said the script was a modified version of the Modernizr JavaScript library, version 2.6.2.

RiskIQ crawls and stores terabytes of data from websites daily.

Basing their investigation off the limited public information from BA after the hack (that payments through its main website and mobile app were affected from 22:58 BST August 21 until 21:45 BST September 5) the company went through stored versions of individual scripts on BA’s pages to find changes in them over time.

White papers from our partners

It soon found the suspicious script.

RiskIQThe company said: “Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2 to be precise. The script was loaded from the baggage claim information page on the British Airways website: Only 22 lines of script victimized 380,000 people.”

RiskIQ: Domain Hosted in Romania 

In a blog published this morning, RiskIQ’s Yonathan Klijnsma wrote: “In essence, the script is very simple and very effective. Here is a breakdown of what it does:

  • Once every element on the page finishes loading it will:
    • Bind the mouseupand touchend events on a button known as submitButton with the following callback-code:
      • Serialize the data in a form with id paymentForminto a dictionary
      • Serialize an item on the page with id personPayinginto the same dictionary as the paymentForminformation
      • Make a text-string out of this serialized data
      • Send the data in the form of JSON to a server hosted on com

“On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.”

RiskIQ
A cleaned up version of the script: Credit, RiskIQ

BA Hack: “Simple But Highly Targeted Approach”

Describing the attack as a “simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer” the company described this skimmer as “very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. The domain was hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server:”

See also: The Ticketmaster Hack is Worse Than First Thought

CEO of global cybersecurity specialist SonicWall, Bill Conner, told Computer Business Review: “Organizations and government entities carry a responsibility to consumers and civilians alike to guard their most valuable information at all cost. While the British Airways breach may not have been as detrimental as I’m sure its culprits would have liked it to be, it should serve as a wake-up call to CTOs, CIOs and CISOs. The fact is, it is early days, and the true damage done is yet to be seen. Companies should be implementing security best practices such as a layered approach to protection, as well as proactively updating any out of date security devices, as a matter of course.”
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.