Security experts at RiskIQ reported that the hackers behind the recent British Airways data breach is the MageCart crime gang.
MageCart has been active since at least 2015 and managed to compromise lots of e-commerce websites to steal payment card and other sensitive data.
The malicious script is called MagentoCore and it records keystrokes from customers and sends them to a server controlled by the hackers.
Usually, the attackers try to compromise third-party features which could let them access a large number of websites.
The experts at RiskIQ claim that the MageCart group carried out a targeted attack against the British Airways using a customized version of the script to remain undercover.
For this specific attack, the criminals used a dedicated infrastructure against the airline.
“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.” the RiskIQ analysis states.
“The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection. We saw proof of this on the domain name baways.com as well as the drop server path.”
The malicious script was loaded from the baggage claim information page on the British Airways website. The code which was added by the criminals let Modernizr send payment information from the customer straight to the hackers’ server.
The script allowed the attacker to steal users’ data from both the website and the mobile application.
The data stolen from the British Airways was sent in the form of JSON to a server hosted on baways.com resembling the legitimate domain used by the airline.
The hackers purchased an SSL certificate from Comodo to avoid raising suspicion.
“The domain was hosted on 220.127.116.11 which is located in Romania and is, in fact, part of a VPS provider named Time4VPS based in Lithuania. The actors also loaded the server with an SSL certificate. Interestingly, they decided to go with a paid certificate from Comodo instead of a free LetsEncrypt certificate, likely to make it appear like a legitimate server.” the RiskIQ team says.
Currently, it is still not clear how the MageCart gang has managed to inject the malicious code in the British Airways website.