UPDATED: BAways.com hosting company not contacted by police regarding BA hack investigation

News by Tom Reeve

UPDATE: The National Cyber Security Centre (NCSC) was responsible for initiating the takedown of baways.com, the website which formed a critical part of the infrastructure in the attack on the British Airways web payment page.

In a statement to SC Magazine UK this morning, the company which hosted the site, Time4VPS, clarified that the first abuse report they received was from a member of staff at the NCSC mitigation centre who asked the company to "block access to it".

Valentinas Cirba, project manager at Time4VPS, said the company took immediate steps to comply with the request.

The criminal investigation of the British Airways payment page attack is being led by the National Crime Agency (NCA). Cirba confirmed that neither British Airways nor the NCA had contacted Time4VPS to request the preservation of data on the server.

Cirba told SC Magazine UK that after blocking the site, they informed the owners but have not had a response. Standard procedure, he said, was to delete the site and all its data after one week if no response was forthcoming from the owners.

In this case, he said the company was likely to extend the deadline by a couple of weeks to allow the British police to contact Lithuanian authorities and request the data, but if no request was made, the data would be deleted.

This is a developing story – we will add more detail as we get it.

==

British police have not contacted the hosting provider which provided part of the infrastructure used in the attack on the British Airways’ payment page, the hosting company told SC Magazine UK.

The hosting company, Time4VPS based in Lithuania, told SC Magazine UK that neither the British police nor British Airways had contacted them regarding baways.com, a domain that appears to have formed part of the infrastructure for the attack on the BA payment page.

BAways.com is the domain referenced in 22 lines of script that were appended to the British Airways payment page which are at the centre of speculation regarding the exfiltration of data from the site between 21 August and 5 September.

The script was identified by RiskIQ, a security company that says it archives two billion pages per day including HTML, CSS and JavaScript. It believes a threat group called Magecart is behind the attack.

RiskIQ found the reference to BAways.com on line 16 of 22 lines of code that enabled the attackers to steal credit card data as it was entered into the payment page.

Code used in BA website attack - credit: RiskIQ

Code identified by RiskIQ was used to exfiltrate data from the British Airways website (RiskIQ.com)

The attack on the payment page, which resulted in the theft of around 380,000 credit card records including card number, expiration date and the crucial CVV number, was revealed last week by British Airways.

The investigation of the attack on the British Airways payment page is the subject of an ongoing investigation being led by the National Crime Agency (NCA).

Despite the attack and the involvement of BAways.com in the exfiltration of the data coming to light last week, the domain was still live yesterday afternoon. Time4VPS claims to be the largest web hosting provider in the country with more than 100,000 customers across Europe.

The site was still operating as late as 5pm on 11 September, according to a tweet from Marcus Greenwood, CEO of Ubio.

Greenwood contacted Time4VPS via Twitter which replied to say it had not received any notification via its abuse contact email.

Greenwood told SC Magazine UK that the site was taken down by Time4VPS shortly after their exchange of tweets.

Valentinas Cirba, project manager at Time4VPS, told SC Magazine UK this morning that his company was prepared to cooperate in an investigation, but said: "At the moment we haven’t been contacted by British police or British Airways."

He declined to answer further questions about the BAways.com hosting account, citing "client information confidentiality".

According to Prof Alan Woodward, visiting professor in the computer science department at the University of Surrey, investigating BAways.com would be an "obvious line of inquiry".

The server may contain a wealth of clues including copies of the exfiltrated data and the onward destination of the stolen data.

In addition to registering a domain which could pass as a legitimate British Airways domain, the attackers also purchased an SSL certificate for the site. Issued by Comodo based in Salford, Greater Manchester, the certificate is for baways.com and resolves to 89.47.162.248, owned by Uab Interneto Vizija, the parent company of Time4VPS.

It is valid from 15 August 2018, six days prior to the timeline given by British Airways for when the payment page attack was active.

Woodward told SC Magazine UK said, "An obvious line of inquiry is to follow the link with the hoster and certificate authority connected to the domain that appears to be part of the attack infrastructure."

He added: "How, who and when the infrastructure was paid for is the classic technique of follow the money which, even in the cyber world, is remarkably successful."

Baways.com was registered via Namecheap Inc on 16 August 2018. Its ownership details are protected by WhoisGuard which gives a Panama post office box as its contact address. 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event