Magecart, the credit card skimming group behind the Ticketmaster breach was also behind the British Airways breach, which was confirmed last week, say researchers.
We are detecting “internet-scale threats alerted to new Magecart breaches hourly, a clear indication that the group is extremely active and a very real threat to all organizations offering online payment facilities,” said a statement from RiskIQ issued this week.
Magecart uses “scripts injected into websites to steal data that’s entered into online payment forms on e-commerce sites,” explained RiskIQ back in July. At the time, Magecart was implicated in the Ticketmaster breach, in which payment details held by a third-party supplier to Ticketmaster, known as Inbenta, were stolen.
This time, RiskIQ says that the attack was similar to the one leveled against Ticketmaster but “with one key difference: instead of compromising commonly used third-party functionality to gain access to hundreds of sites at once, Magecart operatives compromised the British Airways site directly and planned their attack around the site’s unique structure and functionality.”
RiskIQ says that its analysis shows that “the functionality of the payment forms on the British Airways’ website were copied and modified to deliver payment information to an attacker-controlled server while maintaining their intended functionality to avoid detection.”
The attackers were also aware of the way the British Airways mobile app was constructed, leveraging the fact that it used much of the same functionality as the web-app and could, therefore, victimise users in the same way.
“This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Yonathan Klijnsma, Head Researcher at RiskIQ. “This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular.”
The researchers also found evidence that Magecart operatives may have breached the British Airways site several days before the skimming began. RiskIQ web-crawling data shows that a certificate used on the attacker’s command and control server was issued on August 15th, nearly a week before the reported start date of the attack on August 21st.
European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.