Code used to hack BA passenger data discovered

A cyber security firm has found the script used to steal the airline's customer data

JavaScript

It took just 22 lines of JavaScript to steal the data of hundreds of thousands of British Airways (BA) passengers, according to the cyber security firm that says it has found the code.

Last week, the airline revealed it had been the subject of a data breach thought to have affected around 380,000 customers over a two-week period back between late August and early September. The stolen information included personal and payment information taken from BA's website and mobile app.

Looking into the breach, cyber security firm RiskIQ has claimed that a fraudulent group called Magecart could be behind it, citing its involvement with the recent breach to Ticketmaster as an example of its modus operandi.

"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites," said RiskIQ threat researcher Yonathan Klijnsma. 

Advertisement
Advertisement - Article continues below

"Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK."

A technique called skimming was used in both breaches. Skimmers are traditionally used by criminals on credit cards in the form of devices hidden within credit card readers on ATMs, fuel pumps, and other machines people use for day-to-day purchases that steal payment data for a criminal to either use or sell to a third party.

However, for the BA breach, Magecart customised a skimmer and embedded it into the airline's website which runs on JavaScript. RiskIQ posted a picture of a cleaned up version of the script that it said as very simple but effective'.

According to RiskIQ, mouseup' and touchend', are events for when someone lets go of the mouse after clicking on a button or when someone using a touchscreen device lets go of the screen after pushing a button. This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form can be extracted and sent to the attacker's server.

This particular type of skimmer is very much attuned to how BA's payment page is set up, according to RiskIQ, which suggests the hackers had carefully considered how to target the airline instead of blindly injecting a regular Magecart skimmer.

Image: RiskIQ 

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Recommended

Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/operating-systems/microsoft-windows/354297/this-exploit-could-give-users-free-windows-7-updates
Microsoft Windows

This exploit could give users free Windows 7 updates beyond 2020

9 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019