Researchers implicate online card-skimming group in British Airways hack

A British Airways 747 at London Heathrow. (Daniel Mennerich / Flickr)


Written by

The recent hack of the British Airways website and mobile app, which affected some 380,000 card payments, was carried out by a criminal group known for collecting online payment data en masse, according to new research.

After the airline said last week that the theft occurred between Aug. 21 and Sept. 5, threat intelligence company RiskIQ reviewed breach-related data and pinned the hack on Magecart. The group is fond of online “card skimming” – or using malicious scripts to siphon off insecure payment data. Magecart allegedly breached the British website of Ticketmaster, the global entertainment ticketing service, a hack disclosed in June.

Whereas the Ticketmaster UK breach was through a third-party, Magecart customized this attack to the British Airways website’s “unique structure and functionality,” according to RiskIQ.

The British Airways hack “is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Yonathan Klijnsma, RiskIQ’s head researcher. “This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”

The British Airways breach is an example of how Magecart is targeting “specific brands, crafting their attacks to match the functionality of specific sites,” Klijnsma wrote in an analysis of the hack.

Magecart members may have breached the airline’s website days before the skimming started. A certificate used by the attackers’ server was issued Aug. 15, according to RiskIQ – nearly a week before the attack reportedly began. “Without visibility into its internet-facing web assets, British Airways were not able to detect this compromise before it was too late,” Klijnsma wrote.

Asked for comment on RiskIQ’s findings, a British Airways spokesperson said, “As this is a criminal investigation, we are unable to comment on speculation.”

On its website, the airline noted that the data stolen in the breach did not include passport or travel details. British Airways also warned customers to be on the lookout for phishing from scammers posing as airline representatives.

Magecart is a flurry of activity, according to RiskIQ. “Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code,” Klijnsma wrote.

UPDATE, 1:58 pm EDT: This story has been updated with a statement from a British Airways spokesperson.

-In this Story-

airlines, critical infrastructure, data breaches, Magecart, security research, transportation