In only 22 lines of code, hackers took on the UK's largest airline and stole data from up to 380,000 people.
But the hackers behind British Airways' data breach, which took place from late August into early September, left behind a trail of evidence showing just how the major airline had suffered its cyberattack, according to researchers from cybersecurity firm RiskIQ.
The clues showed that the attacker was likely Magecart, the same cybercriminal group behind Ticketmaster UK's breach in June, said Yonathan Klijnsma, a head researcher with RiskIQ.
Cybercriminal gangs represent a new, more potent threat to businesses because the organized efforts don't just steal from companies, but also the millions of customers paying for their services. While hackers can act alone, coordinated cyberattacks mean the potential to affect more people.
Magecart is set to be "bigger than any other credit card breach to date," security researchers said in July.
Watch this: US officials charge North Korean over major hacks like WannaCry and Sony
The British Airways hack is part of Magecart's massive skimming campaign, as it almost identically follows the script from previous attacks, RiskIQ's researchers said. Credit card skimmers are usually a physical problem, with thieves putting fake readers on ATMs to steal financial data from people swiping their cards. But Magecart has brought that threat online, compromising more than 800 e-commerce websites and stealing financial data.
And the attacks are getting smarter. While previous attacks from Magecart used the same code that researchers could find automatically, RiskIQ's blacklist missed the British Airways attack because this particular hack was customized, Klijnsma said.
"We're now seeing them target specific brands, crafting their attacks to match the functionality of specific sites," the threat researcher said.
The group stashed some modified code in British Airways' baggage claim webpage, where customers would fill in their names, addresses, email and financial information. Looking through data logs, RiskIQ's researchers found a slight change on the page's code from mid-August.
To an unsuspecting eye, "Baways" might look like short-hand for British Airways, but RiskIQ found that the URL was hosted in Romania and only registered on Aug. 15 -- just six days before Magecart started stealing data from the airliner.
British Airways declined to comment because the breach is under criminal investigation.
RiskIQ warns that given the customized attack on British Airways, it's likely Magecart will carry out more sophisticated attacks against major companies.
"Magecart is extremely cunning and will continue to find ways to exploit the lack of visibility many e-commerce brands have into the code running on their websites to victimize more and more customers," Klijnsma said in an email. "We get alerts for new Magecart attacks almost hourly, so we don't see this stopping anytime soon."
Originally published Sept. 11 at 12:00 a.m. PT. Update at 5:58 a.m. PT: Added that British Airways declined to comment.
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: CNET looks at the tech powering bitcoin -- and soon, too, a myriad services that will change your life.