Payment-skimming malware was planted in the airline’s website, and all signs point to Magecart.
Continuing the seemingly unending parade of data breaches marching through the headlines over the past year, including the Reddit breach, the Atlas Quantum breach, the Huazhu hotel chain breach, and the Air Canada breach — and those were all just in August — a targeted attack on British Airways made off with the full payment info of 380,000 transactions.
Cybersecurity experts have found a brief 22-line code of malware on the British Airways website and mobile app which, until discovered, had ripped open a data breach where the names, emails addresses, and full credit card info from the transactions were stolen. The malware had snuck into the website as a small script which connected to a server controlled by the attackers,, complete with SSL-certificate, which is supposed to prove a web site’s safety.
“Being able to hack into a big company website and get access to all payment details of all the transactions taking place is not the work of amateurs. This is a targeted attack, and even though there is an open investigation and all details are not public -or even known- yet, probably the cybercriminals behind made a previous work in the form of spear-phishing to steal credentials and gain access to inject a script on BA’s website”, said Luis Corrons, Security Evangelist at Avast.
This sophisticated cyber attack echoes the Ticketmaster UK breach earlier this year, so much so that experts believe the same culprit is behind both — cyberthreat group Magecart. The payment-skimming nature of the malware in both cases is near identical. By targeting enormous enterprises like Ticketmaster UK and British Airways, chances are higher that their well-camouflaged malware injections will get by in the hustle and bustle of all the players involved.
In their official statement to their customers who made transactions between August 21 and September 5, British Airways says, “we recommend you contact your bank or credit card providers and follow their advice,” adding, “We understand that this incident will cause concern and inconvenience. We are contacting all affected customers to say sorry, and we will continue to update them in the coming days.”
In cases like these, we always recommend that you do the following:
Change your account password as soon as possible.
Inform your card issuer that your card has been compromised as part of a data breach. Your issuer will be happy to cancel the card and issue a new one immediately.
Check out this essential guide for more details on what you should do if you are involved in a data breach.
Join Avast's Avast's Christopher Budd at the National Council on Aging's Age+Action Conference to learn how to protect elders from tech support scams.
Avaddon ransomware group targeted Asia-based insurer AXA with DDoS attacks and ransomware just a week after the insurance company announced it was dropping support for ransomware payments in France.