BA hackers Magecart used scripts specifically designed to target the company

News by Tony Morbin

Threat group Magecart, known as a web-based card skimmer, has been identified byRisk IQ as the British Airways hacker, using digital skimming code injected into payment forms to steal confidential data.

Threat group Magecart, known as a web-based card skimmer, has been identified in a research blog by Yonathan Klijnsma of Risk IQ as the British Airways hackers.

When BA reported on 6 September that payments through its main website and mobile App had been affected by a breach impacting 380,000 customers, there was no mention of databases or servers— ie anything indicating the breach affected more than the payment information entered into the website. In his blog, Klijnsma of Risk IQ says: "Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart. The exact same type of attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident."

Expanding the timeline Risk IQ says it discovered more affected websites beyond those was publicly reported.

RiskIQ has reported on the use of web-based card skimmers operated by the threat group Magecart since 2016. A digital version of the devices used to skim ATMs is used to inject scripts into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites to steal data entered by consumers. Previously Magecart put one of these digital skimmers on Ticketmaster websites via compromised third-party functionality.

Crawling more than two billion pages a day, the Risk IQ team went through Magecart detection hits, but Klijnsma says it saw no hits on BA in its blacklist incidents or suspects because Magecart customised its skimmer. He says that just loading the main British Airways website spins up around 20 different avaScrip scripts and loading the booking subpage makes it 30, many of which have thousands of lines of script. Eventually, they recorded a change in one of the scripts, a modified version of the Modernizr JavaScript library, version 2.6.2. The script was loaded from the baggage claim information page on the British AIrways website. The noted change was at the bottom of the script, which immediately raised suspicions. More evidence was found in the server headers sent by the British Airways server. The modified, malicious version of Modernizr has a timestamp which matches closely to the timestamp given by British Airways as the beginning of people getting victimised.

What the script does

Once every element on the page finishes loading, this script will:
? Bind the mouseup and touchend events on a button known as submitButton with the following callback-code:
¦ Serialise the data in a form with id paymentForm into a dictionary
¦ Serialise an item on the page with id personPaying into the same dictionary as the paymentForm information
¦ Make a text-string out of this serialised data
¦ Send the data in the form of JSON to a server hosted on

On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button.

Klijnsma explains: "This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server. This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer."

Paid certificate used

Proof was found on the domain name as well as the drop server path. The domain was hosted on which is located in Romania and is part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server.

The certificate the Magecart actors used was issued on August 15th, which indicates they likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late.

How mobile was affected

Klijnsma also explains how mobiles were affected, given the skimmer was found on the British Airways, webpage: "Often, when developers build a mobile app, they make an empty shell and load content from elsewhere. In the case of British Airways, a portion of the app is native but the majority of its functionality loads from web pages from the official British Airways website. The mobile app uses a set of different hosts to communicate back to the British Airways servers:
? (The main website)
? (An API endpoint from British Airways)
? (Another API endpoint from British Airways)

"The idea is that for quick data updates on its UI the app uses the API endpoints, but for searching, booking, and managing flights the app loads a mobile version of the main website. One of these called-up paths is:

"This page is loaded when the customer requests information about fees for different countries and airports."

Looking at the source of this webpage Risk IQ found that the page is built with the same CSS and JavaScript components as the real website, meaning design and functionality-wise, it’s a total match. Hence the offending script—the one that steals name and payment information from the web app—would be found on the mobile app. So Risk IQs crawler was able to capture the subresource being loaded by the page used in the mobile app, it loads the same (at the time) compromised Modernizr JavaScript library. The attackers put in the touchend callback in the skimmer to make it work for mobile visitors as well

Magecart set up a custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. It remains an active threat operator conducting attacks at scale and it is now targeting specific brands, crafting their attacks to match the functionality of specific sites hence, it does raise the question of payment form security for all operations taking payments online.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews