US cyber-security firm RiskIQ said today its researchers have “traced the breach” of 380,000 sets of payment information belonging to customers of British Airways (BA) to Magecart – the credit-card skimming group made infamous for its July breach of Ticketmaster.
The airline revealed on Thursday that it had data stolen from 380,000 accounts on ba.com and the BA app, which were hacked from 21 August to 5 September. It faces a fine of £500 million from the Information Commissioner’s Office. BA was unable to comment on the claims.
San Francisco-based RiskIQ said because the attack was reported by BA to be web-based and targeting credit card data, RiskIQ researchers strongly suspected Magecart was behind it and said 22 lines of code claimed 380,000 victims.
The company said leveraging the company’s global web-crawling network, which maintains a map of the internet and enables security practitioners to analyse web pages and their components as they appear through time, they “confirmed that assumption”.
RiskIQ said: “The attack was similar to the one leveled against Ticketmaster with one key difference: instead of compromising commonly used third-party functionality to gain access to hundreds of sites at once, Magecart operatives compromised the British Airways site directly and planned their attack around the site’s unique structure and functionality.
“RiskIQ’s data shows that scripts supporting the functionality of the payment forms on the British Airways’ website were copied and modified to deliver payment information to an attacker-controlled server while maintaining their intended functionality to avoid detection.
“The attackers were also aware of the way the British Airways mobile app was constructed, leveraging the fact that it used much of the same functionality as the web-app and could, therefore, victimize users in the same way.”
RiskIQ head researcher, Yonathan Klijnsma said: “This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”
The company said researchers also found evidence that Magecart operatives may have breached the British Airways site several days before the skimming began.
RiskIQ also said its web-crawling data shows that a certificate used on the attacker’s command and control server was issued on 15 August, nearly a week before the reported start date of the attack on 21 August.