In only 22 lines of code, hackers took on the UK’s largest airline and stole data from up to 380,000 people.
But the hackers behind British Airways’ data breach left behind a trail of evidence showing just how the major airliner had suffered its cyberattack, said researchers from cybersecurity firm RiskIQ.
The clues showed that the attacker was likely Magecart, the same cybercriminal group behind Ticketmaster UK’s breach in June, said Yonathan Klijnsma, a head researcher with RiskIQ.
Cybercriminal gangs represent a new, more potent threat to businesses because the organized efforts don’t just steal from companies, but also the millions of customers paying for their services. While hackers can act alone, coordinated cyberattacks mean the potential to affect more people.
The FBI announced in August that it arrested three alleged members of FIN7, another cybercrime group that hacked restaurants like Chipotle, Chili’s and Arby’s and got its hands on the credit card info of more than 15 million people.
Magecart is set to be ‘bigger than any other credit card breach to date,’ security researchers said in July.
The British Airways hack is part of Magecart’s massive skimming campaign, as it almost identically follows the script from previous attacks, RiskIQ’s researchers said. Credit card skimmers are usually a physical problem, with thieves putting fake readers on ATMs to steal financial data from people swiping their cards. But Magecart has brought that threat online, compromising more than 800 e-commerce websites and stealing financial data.
And the attacks are getting smarter. While previous attacks from Magecart used the same code that researchers could find automatically, RiskIQ’s blacklist missed the British Airways attack because the hack was customized this time, Klijnsma said.
‘We’re now seeing them target specific brands, crafting their attacks to match the functionality of specific sites,’ the threat researcher said.
The group stashed some modified code in British Airways’ baggage claim webpage, where customers would fill in their names, addresses, email and financial information. Looking through data logs, RiskIQ’s researchers found a slight change on the page’s code from mid-August.
To an unsuspecting eye, ‘Baways’ might look like short-hand for British Airways, but RiskIQ found that the URL was hosted in Romania and only registered on Aug. 15 — just six days before Magecart started stealing data from the airliner.
British Airways didn’t respond to a request for comment.
RiskIQ warns that with British Airways’ customized attack, it’s likley Magecart will carry out more sophisticated attacks against major companies.
‘Magecart is extremely cunning and will continue to find ways to exploit the lack of visibility many e-commerce brands have into the code running on their websites to victimize more and more customers,’ Klijnsma said in an email. ‘We get alerts for new Magecart attacks almost hourly, so we don’t see this stopping any time soon.’