Security News

BA website hijacked by Magecart. Again.

Avast Security News Team, 26 October 2018

185,000 transaction details including names, addresses and card CVV numbers stolen.

Magecart is certainly on a roll as it has managed to rack up quite a kill rate of late. In its latest act, the group has stolen sensitive information of nearly 185,000 booking transactions from British Airways. This is the group’s second attack against the airline.

The hack was discovered by BA while investigating an earlier incident involving the theft of data belonging to 380,000 customers - the biggest of its kind in UK’s history. Investigators were confident that Magecart was behind both of them as the same “skimming script” used by the actor in other attacks, including the infamous Ticketmaster heist, was discovered on Britishairways.com, too.

IAG, the parent company of BA revealed details of stolen information in a stock exchange announcement. Affected data included 77,000 transactions including addresses, email IDs and payment details, and an additional 108,000 credit/debit card CVV (Card Verification Value) codes. No travel or passport details were compromised.

Multiple reasons cited

BA is already battling a bad reputation for cost-cutting and some in the industry have cited it as the most probable reason for the hacks being so successful. Just a few weeks prior to the first attack, BA was in the process of outsourcing its cybersecurity function to IBM. Security experts believe the move was either motivated by the unavailability of experienced staff, or because the airlines wanted to dial down on costs.

Other reasons given include not testing updates before publishing them, and not patching the servers on a regular basis. Whatever their motive may have been, BA was clearly struggling with keeping its digital assets safe, else they wouldn’t have needed third-party intervention.

Hackers used highly customized code

While most of Magecart’s previous attempts used the same stock code, their BA maneuver utilized a highly targeted one. This is part of the reason why the attacks went unnoticed for so long.

“Even though from the outside it may seem unexplainable that the attack went unnoticed for a long time, we have to take into account that we are talking about just a few lines of code inserted in a massive website,” explains Luis Corrons, Avast security evangelist. “This seems to be a well-crafted, targeted attack. The URL it was connecting to looked like it was related to BA, making it harder to detect either scanning the code or checking the network traffic.

It is also likely that attackers got access to plant the malicious script after a spear phishing attack targeting some of the people working on that specific area.

Security experts found a piece of code in BA’s baggage claim page where customers are required to enter their name, address, email and financial information. The malicious code then sends this information to “baways.com.” At first glance, the URL seems like it belongs to British Airways. However, upon closer inspection, IT sleuths discovered the URL was hosted in Romania and came online on August 15th, just a week prior to the first attack. The code works on both the regular and mobile versions of the website.

Even so, how Magecart managed to inject the code into BA’s website is still a mystery. The actor would’ve needed access to BA’s servers before it could plant the code. Researchers have warned that attacks against major companies are in all probability likely to escalate.

Bad actors such as Magecart are finding ever more ingenious ways to outsmart security features and it’s up to companies to ensure the information they are collecting remains safe at all levels. Banks can also deactivate compromised cards or banking details as early as possible. Monzo for instance, immediately issued new cards to affected customers following the first BA attack. A deeper investigation is currently ongoing.