British Airways breach caused by credit card skimming malware, researchers say

A security firm says credit card skimming malware installed by hackers on British Airways’ website a few months ago was to blame for a data breach of over 380,000 credit cards.

Payments through the airline’s website and mobile app were stolen over the three-week period, but a key clue was that travel information wasn’t affected.

Yonathan Klijnsma, a threat researcher at RiskIQ, suspected it might be the same group that was behind the Ticketmaster breach, in which hackers targeted a third-party that loaded code on Ticketmaster’s various sites. From there, it could siphon off thousands of transactions.

This time, Klijnsma said the group took an even more “highly targeted approach,” describing a wave of attacks that the “Magecart” collective has used to steal thousands of records from various sites in recent months.

“This British Airways attack was just an extension of this campaign,” he said, prior to the release of his research.

His research, out Tuesday, points to hackers injecting code directly onto the company’s website which the airline used shared on both the website and the mobile app. Using his company’s proprietary web crawling technology, he found that code hosted on the airline’s global site was compromised on August 21 — the reported date of the breach — and malicious code was injected without anyone noticing.

When a customer clicked bought plane tickets, the code would scrape the credit card information the open payment page and forward the data to a fake site run by the hackers from a private server in Romania.

Names, billing address, email address, and all bank card details were collected by the code.

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” said Klijnsma. “This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

That would explain why the financial data was collected but not the travel and passport data. It also explains why the mobile app was affected, Klijnsma said, because an analysis of the mobile app also loaded the same data-scraping script.

“There’s so many ways they could have stolen the payment or [personal] information, they went for this really simple method, but its super effective,” said Klijnsma.

But, he said, “they went from super advanced to simplifying their attacks — and their [returns are] more insane than ever.”

British Airways spokesperson Liza Ravenscroft declined to comment citing an ongoing criminal investigation.