BA Hack: Precise Script, Threat Group Identified by RiskIQ

San Francisco-based cybersecurity company RiskIQ says it has identified the precise malicious code used to steal payment details from 380,000 British Airways customers.

Blaming threat group Magecart, the team behind the massive Ticketmaster breach, along with other card skimming attacks, the company said the script was a modified version of the Modernizr JavaScript library, version 2.6.2.

RiskIQ crawls and stores terabytes of data from websites daily.

Basing their investigation off the limited public information from BA after the hack (that payments through its main website and mobile app were affected from 22:58 BST August 21 until 21:45 BST September 5) the company went through stored versions of individual scripts on BA’s pages to find changes in them over time.

It soon found the suspicious script.

The company said: “Eventually, we recorded a change in one of the scripts. Opening up the crawl, we saw this script was a modified version of the Modernizr JavaScript library, version 2.6.2 to be precise. The script was loaded from the baggage claim information page on the British Airways website: Only 22 lines of script victimized 380,000 people.”

RiskIQ: Domain Hosted in Romania

In a blog published this morning, RiskIQ’s Yonathan Klijnsma wrote: “In essence, the script is very simple and very effective. Here is a breakdown of what it does:

Once every element on the page finishes loading it will:
- Bind the mouseupand touchend events on a button known as submitButton with the following callback-code:
  - Serialize the data in a form with id paymentForminto a dictionary
  - Serialize an item on the page with id personPayinginto the same dictionary as the paymentForminformation
  - Make a text-string out of this serialized data
  - Send the data in the form of JSON to a server hosted on com

“On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.”

A cleaned up version of the script: Credit, RiskIQ

BA Hack: “Simple But Highly Targeted Approach”

Describing the attack as a “simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer” the company described this skimmer as “very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. The domain was hosted on 89.47.162.248 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server:”

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

RiskIQ: Domain Hosted in Romania

BA Hack: “Simple But Highly Targeted Approach”

See also: The Ticketmaster Hack is Worse Than First Thought

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing