That British Airways breach shows hackers fine-tuning e-commerce attacks
A notorious hacking group is finding new ways to put your credit cards at risk.
British Airways suffered a data breach after hackers implanted their own code on a baggage claims page, researchers said.
In only 22 lines of code, hackers took on the UK's largest airline and stole data from up to 380,000 people.
But the hackers behind British Airways' data breach, which took place from late August into early September, left behind a trail of evidence showing just how the major airline had suffered its cyberattack, according to researchers from cybersecurity firm RiskIQ.
The clues showed that the attacker was likely Magecart, the same cybercriminal group behind Ticketmaster UK's breach in June, said Yonathan Klijnsma, a head researcher with RiskIQ.
Cybercriminal gangs represent a new, more potent threat to businesses because the organized efforts don't just steal from companies, but also the millions of customers paying for their services. While hackers can act alone, coordinated cyberattacks mean the potential to affect more people.
For instance: The FBI announced in August that it arrested three alleged members of FIN7, a cybercrime group that hacked restaurants like Chipotle, Chili's and Arby's and got its hands on the credit card info of more than 15 million people.
Magecart is set to be "bigger than any other credit card breach to date," security researchers said in July.
The British Airways hack is part of Magecart's massive skimming campaign, as it almost identically follows the script from previous attacks, RiskIQ's researchers said. Credit card skimmers are usually a physical problem, with thieves putting fake readers on ATMs to steal financial data from people swiping their cards. But Magecart has brought that threat online, compromising more than 800 e-commerce websites and stealing financial data.
And the attacks are getting smarter. While previous attacks from Magecart used the same code that researchers could find automatically, RiskIQ's blacklist missed the British Airways attack because this particular hack was customized, Klijnsma said.
"We're now seeing them target specific brands, crafting their attacks to match the functionality of specific sites," the threat researcher said.
The group stashed some modified code in British Airways' baggage claim webpage, where customers would fill in their names, addresses, email and financial information. Looking through data logs, RiskIQ's researchers found a slight change on the page's code from mid-August.
The JavaScript library pointed to a URL for "baways.com," which was a fake version of British Airways' website created by Magecart.
The baggage claim page contained a JavaScript library that sent all the data on the screen to the URL "baways.com." The hackers would obtain a copy of the data while the victim was sending that personal and financial information to the airliner, without realizing that anything was wrong.
To an unsuspecting eye, "Baways" might look like short-hand for British Airways, but RiskIQ found that the URL was hosted in Romania and only registered on Aug. 15 -- just six days before Magecart started stealing data from the airliner.
British Airways declined to comment because the breach is under criminal investigation.
It's still unclear how Magecart's hackers were able to inject its custom JavaScript into British Airways' website. The only way that Magecart would have been able to do that is through server-side access to British Airways' infrastructure, Klijnsma said.
RiskIQ warns that given the customized attack on British Airways, it's likely Magecart will carry out more sophisticated attacks against major companies.
"Magecart is extremely cunning and will continue to find ways to exploit the lack of visibility many e-commerce brands have into the code running on their websites to victimize more and more customers," Klijnsma said in an email. "We get alerts for new Magecart attacks almost hourly, so we don't see this stopping anytime soon."
Originally published Sept. 11 at 12:00 a.m. PT.
Update at 5:58 a.m. PT: Added that British Airways declined to comment.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.