The revelation comes from cybersecurity firm RiskIQ who claims to have found the code responsible for causing the breach. The information stolen from BA included personal and payment information from the BA website and mobile app. The problem could have been even larger, but thankfully it only affected customers who had used the site and app over a two-week period in late August.
“Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites,” said Yonathan Klijnsma, a threat researcher at RiskIQ.
“Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK.”
A technique called skimming was used in both breaches. Traditionally used by criminals for obtaining credit card details, skimmers usually take the form of devices hidden within credit card readers on ATMs, fuel pumps, and other day-to-day card payment machines. These skimmers then steal and store payment data so a criminal can use or sell to a third party.
According to RiskIQ, “mouseup” and “touchend”, are events for when someone lets go of the mouse after clicking on a button, or when someone using a touchscreen device lets go of the screen after tapping a button. Basically, this means that once a user hits the button to submit their payment on BA’s compromised site, the information from the payment form is extracted and sent to the attacker’s server.
This particular type of skimmer is very much attuned to how BA’s payment page is set up, according to RiskIQ, which suggests the hackers had carefully considered how to target the airline instead of blindly injecting a regular Magecart skimmer.
With Ticketmaster and BA under their belt, there’s a good chance that another big site could come under fire next.