Threat group Magecart, known as a web-based card skimmer, has been identified in a research blog by Yonathan Klijnsma of Risk IQ https://www.riskiq.com/blog/ as the British Airways hackers.
When BA reported on 6 September that payments through its main website and mobile App had been affected by a breach impacting 380,000 customers, there was no mention of databases or servers— ie anything indicating the breach affected more than the payment information entered into the website. In his blog, Klijnsma of Risk IQ says: "Because these reports only cover customer data stolen directly from payment forms, we immediately suspected one group: Magecart. The exact same type of attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident."
Expanding the timeline Risk IQ says it discovered more affected websites beyond those was publicly reported.
RiskIQ has reported on the use of web-based card skimmers operated by the threat group Magecart since 2016. A digital version of the devices used to skim ATMs is used to inject scripts into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites to steal data entered by consumers. Previously Magecart put one of these digital skimmers on Ticketmaster websites via compromised third-party functionality.
What the script does
Once every element on the page finishes loading, this script will:
? Bind the mouseup and touchend events on a button known as submitButton with the following callback-code:
¦ Serialise the data in a form with id paymentForm into a dictionary
¦ Serialise an item on the page with id personPaying into the same dictionary as the paymentForm information
¦ Make a text-string out of this serialised data
¦ Send the data in the form of JSON to a server hosted on baways.com
On websites, mouseup and touchend, are events for when someone lets go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device lets go of the screen after pushing a button.
Klijnsma explains: "This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server. This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer."
Paid certificate used
Proof was found on the domain name baways.com as well as the drop server path. The domain was hosted on 18.104.22.168 which is located in Romania and is part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server.
The certificate the Magecart actors used was issued on August 15th, which indicates they likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late.
How mobile was affected
Klijnsma also explains how mobiles were affected, given the skimmer was found on the British Airways, webpage: "Often, when developers build a mobile app, they make an empty shell and load content from elsewhere. In the case of British Airways, a portion of the app is native but the majority of its functionality loads from web pages from the official British Airways website. The mobile app uses a set of different hosts to communicate back to the British Airways servers:
? www.britishairways.com (The main website)
? api4-prl.baplc.com (An API endpoint from British Airways)
? api4.baplc.com (Another API endpoint from British Airways)
"The idea is that for quick data updates on its UI the app uses the API endpoints, but for searching, booking, and managing flights the app loads a mobile version of the main website. One of these called-up paths is: www.britishairways.com/travel/ba_vsg17.jsp/seccharge/public/en_gb
"This page is loaded when the customer requests information about fees for different countries and airports."
Magecart set up a custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible. It remains an active threat operator conducting attacks at scale and it is now targeting specific brands, crafting their attacks to match the functionality of specific sites hence, it does raise the question of payment form security for all operations taking payments online.