Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
On September 6th, British Airways announced it had suffered a breach resulting in the theft of customer data. In interviews with the BBC, the company noted that around 380,000 customers could have been affected and that the stolen information included personal and payment information but not passport information.
On its website, British Airways placed an article explaining details of the incident that answered as many questions as possible for customers. The technical details were sparse but included the following pieces of information:
The report also stated very clearly that information was stolen from the British Airways website and mobile app but did not mention breaches of anything else, namely databases or servers—anything indicating the breach affected more than the payment information entered into the website. Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart.
The same type of cyber attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident. Because we crawl the internet and capture the details of each page, our team was able to expand the timeline and discover more affected websites beyond what was publicly reported. In this blog, we’ll investigate what happened during the breach of British Airways customer data made public on September 6, which spanned a total of 15 days according to public reporting.
Since 2016, RiskIQ has reported on the use of web-based card skimmers operated by the threat group Magecart. Traditionally, criminals use devices known as card skimmers—devices hidden within credit card readers on ATMs, fuel pumps, and other machines people pay for with credit cards every day—to steal credit card data for the criminal to later collect and either use themselves or sell to other parties. Magecart uses a digital variety of these devices.
Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites. Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK.
Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits. Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code. Customer notifications through our products are automated, but our research team searches for any instances outside of these workspaces manually and adds them to our global blacklists. In the case of the British Airways breach, we had no hits in our blacklist incidents or suspects because the Magecart actors customized their skimmer in this case.
Fig-1 Modified script
Fig-2 The suspicious script tag added by Magecart
We found more evidence in the server headers sent by the British Airways server. The servers send a ‘Last-Modified’ header, which indicates the last time a piece of static content was modified. The clean version of the Modernizr script had a timestamp from December 2012:
Fig-3 Clean version of the compromised script
We can see on the modified, malicious version of Modernizr the timestamp matches closely to the timestamp given by British Airways as the beginning of people getting victimized:
Fig-4 Timestamp of when the skimming began
Fig-5 Only 22 lines of script victimized 380,000 people
In essence, the script is very simple and very effective. Here is a breakdown of what it does:
On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server.
This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.
The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path. The domain was hosted on 22.214.171.124 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server:
Fig-6 Cert leveraged by the attackers
What is interesting to note from the certificate the Magecart actors used is that it was issued on August 15th, which indicates they likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late.
In the security advisory from British Airways, the company made note that both the web app and the mobile app users were affected. We found the skimmer on the webpage for British Airways, but how does that translate to mobile? To figure this out we’ll look at the British Airways Android application:
Fig-7 British Airways mobile application
Often, when developers build a mobile app, they make an empty shell and load content from elsewhere. In the case of British Airways, a portion of the app is native but the majority of its functionality loads from web pages from the official British Airways website.
The mobile app uses a set of different hosts to communicate back to the British Airways servers:
The idea is that for quick data updates on its UI the app uses the API endpoints, but for searching, booking, and managing flights the app loads a mobile version of the main website. One of these called-up paths is:
This page is loaded when the customer requests information about fees for different countries and airports. It looks like this:
Fig-8 Magecart-compromised mobile web page
Fig-9 Source of the mobile web page
One thing to note is that the magecart actor(s) put in the touchend callback in the skimmer to make it work for mobile visitors as well, which again shows us the high level of planning and attention to detail displayed in this simple yet extremely effective attack.
As we’ve seen in this attack, Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets
RiskIQ has been warning the market about Magecart attacks like this since 2015 and will continue to follow and report on the group as it evolves. While the Magecart attack against British Airways wasn’t a compromise of a third-party supplier like the attack on Ticketmaster, it does raise the question of payment form security. Companies, especially those that collect sensitive financial data, must realize that they should consider the security of their forms—but also the controls that influence what happens to payment information once a customer submits it.
We suggest British Airways customers get a new card from their bank. Some banks have already been proactively issuing new cards for their customers, Monzo is an example of these:
Fig-10 How some banks are responding
Magecart is an active threat that operates at a scale and breadth that rivals—or possibly surpasses—the recent compromises of point-of-sale systems of retail giants such as Home Depot and Target. The Magecart actors have been active since 2015 and have never retreated from their chosen criminal activity. Instead, they have continually refined their tactics and targets to maximize the return on their efforts.
Over time, they’ve optimized their tactics culminating in successful breaches of third-party providers such as Inbenta resulting in the theft of Ticketmaster customer data. We’re now seeing them target specific brands, crafting their attacks to match the functionality of specific sites, which we saw in the breach of British Airways. There will be more Magecart attacks, and RiskIQ will be tracking them and keeping the cybersecurity industry aware of our research.
For a deep dive on Magecart, from the group’s inception to its hack of Ticketmaster to its latest hack of British Airways, be sure to register for the webinar hosted by RiskIQ Head Researcher and report author Yonathan Klijnsma.
RiskIQ is the leader in attack surface management. We help organizations discover, understand, and mitigate exposures across all digital channels.
“(...) RiskIQ has been able to track much more of the bad guy’s infrastructure used in their scam operations. We’ve identified around 400 domains so far that are all tied to these scams.” - @ydklijnsma
WHAT JUST HAPPENED? Security pros offered a range of opinions about the breach. All agreed the fault did not lie with each hacked account's owner. Some say it may have come from inside @Twitter.
@BradyDale and @benjaminopowers report
Targeted #cyberthreats are spiking during #COVID19. We provide one source for information to simplify and accelerate your investigation process #ThreatHunting https://bit.ly/3c9xKoq
RiskIQ researchers just doubled the number of IoCs in the Pastebin. Please continue to monitor it for updates as this situation evolves https://pastebin.com/h64CK3CG #twitterhack #twitterhacks #ThreatIntel #IOCs
Just in case my last tweet got lost in the thread storm, @RiskIQ's list of domains apparently tied to this scam gives us a pretty good idea of who was targeted here. https://pastebin.com/h64CK3CG
This is developing very quickly, but seems to have been staged well in advance. Take a look at some these domains set up to support this scam. H/T @RiskIQ https://twitter.com/ydklijnsma/status/1283508384335925248
Leveraging @RiskIQ's datasets we have identified more infrastructure tied to the current cryptocurrency scammers impacting @elonmusk , @billgates, etc. This is research data, validate before taking action, it might identify new targets also.
At this point we can just assume the entire platform compromised. https://twitter.com/ydklijnsma/status/1283503695796162560
And they've just crossed the cryptocurrency boundary https://twitter.com/ydklijnsma/status/1283501318917611521