Monitoring file output for malicious code 'could have stopped BA attack more quickly'

News by Jay Jay

Security experts have pointed out that British Airways' failure to monitor the output from its servers allowed hackers to maintain malicious code on its payment pages for two weeks.

Over half a million customer credit card details were leaked in two attacks on (Pic: GettyImages)

In September, British Airways announced that unnamed hackers gained unauthorised access to personal and financial details of up to 380,000 passengers who booked tickets and made changes to their reservations on its website and mobile application between 21 August and 5 September.

BA updated this number in October when it announced that there had been a previously undetected hack which had resulted in the loss of 185,000 customer records, raising the total number of credit card records lost to 565,000.

Digital risk management firm RiskIQ has previously revealed that the cyber-attack on British Airways' website and mobile application was carried out by a hacker group known as Magecart. The group injected twenty-two lines of script into British Airways' payment page, intercepted customer credit details including the CVV code and transferred the data to a server hosted on

"This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer," the firm noted.

In a new report, RiskIQ has revealed that it can state with absolute certainty that Magecart was indeed behind the cyber-attack on British Airways' website and mobile application.

"Today's e-commerce landscape is a fertile ground for Magecart attacks, especially amongst the vast number of small and mid-sized online stores. To combat the Magecart threat, e-commerce companies should practice general good security practices, but also perform additional integrity checking such as monitoring servers for any file modifications," RiskIQ added.

Commenting on the resounding success of Magecart hackers in hacking into servers of top-tier organisations and scraping financial information of thousands of people, Javvad Malik, security advocate at AlienVault, told SC Magazine UK that since most cyber-attacks are asymmetric, most businesses are unable to defend against such threats as security is not embedded into code development, testing, deployment or architecture.

"Underpinning this would be good monitoring and threat detection capabilities so that threats can be detected in a timely manner – be they outside attacks, user error or unscheduled changes. If a website that processes payments has a code change, monitoring controls should flag that a change has been made, and security teams or system owners should validate the change for appropriateness," he added.

According to Luke Jennings, chief research officer of Countercept at MWR Infosecurity, protecting against many of the attacks conducted by the Magecart group must involve standard good security practices around developing secure code, protecting content management systems and performing regular security testing exercises to help to ensure a website cannot be compromised in the first place.

"If a breach does occur, there is still room to detect and respond to it quickly. In this instance, malicious JavaScript was added to the website. Conducting file integrity monitoring to detect and audit changes to key web application source code, such as JavaScript files, could be used to detect breaches of this type. In the case of British Airways, the specific JavaScript file that was modified had not been changed since 2012, until 21st August 2018 when it was compromised.

"This gets more difficult when third-party resources are linked to directly, as a compromise of the third party will propagate to all websites that link to them immediately and this has occurred in many other Magecart attacks. In this case, that is one argument for copying third party components locally and only updating when necessary. However, when this is not possible or desirable then modern security features – such as Subresource Integrity (SRI) – can  be used to provide an additional layer of security where applicable," he adds.

RiskIQ said that its research shows that Magecart isn't an isolated group but is, in fact, an umbrella organisation composed of at least seven cyber-crime groups that regularly use skimmers to scrape credit card data from online servers "with frightening success".

"The original Magecart skimmer was comprised of javascript embedded into e-commerce pages. Whenever card data was entered into a form, the skimmer copied the form and sent the stolen card data to a drop server. In this skimmer version, the drop server was the same as the one serving the skimmer. Though it has evolved over the years, tailored by other groups to better fit their needs, the basic elements of the skimmer are still in use," the firm noted.

Prior to the hack of British Airways' online server, Magecart was also behind the hack of the TicketMasterUK website as well as the breach of a large tranche of credit card data from Newegg's server. According to RiskIQ, Group 6 – one of Magecart's various cyber-crime groups – was behind the large-scale cyber-attacks on top-tier targets such as British Airways and Newegg.

The firm added that Group 6 makes its profit by selling skimmed payment data on a dump and credit card shop that serves as a repository of compromised payment information from both compromised brick-and-mortar point-of-sale merchants and breached e-commerce payment details. Credit card data scraped by Group 6 from British Airways' server was found dumped on the credit card shop a little over a week after such data was accessed.

Personal and financial information accessed by Magecart hackers from popular e-commerce and other online stores are not only monetised but are also used to proliferate scams, carry out spam email campaigns and mine cryptocurrency. A large amount of stolen credit card data are now being dumped by hackers on MagBo, an emerging Dark Web marketplace that enjoys an admirable reputation among cyber-criminal groups because of the varying levels of access it provides.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews