The researchers at RiskIQ have stated that the British Airways data breach was conducted by the crime gang MageCart. The group has been active since 2015 and has been compromising many e-commerce websites to steal payment card and other sensitive data. The group usually insert a skimmer script to the target websites to extract payment card data and when the attackers are succeeded in compromising the website the script will automatically add an embedded piece of JavaScript Code dubbed MagentoCore.
What Does The Malicious Script Do?
The script records the keystrokes from the users and transfers the keystrokes to the attacker’s server and mostly these hackers try to compromise the third-party features which allows them to access a large number of website.
RiskIQ reported that MageCart has carried out the attack on British Airways using a customized script that runs under the radar and the group has also used a dedicated infrastructure to take perform the attack on the airline company.
“The infrastructure used in this attack was set up only with British Airways in mind and deliberately targeted scripts that would blend in with normal payment processing to avoid detection. We saw evidence of this on the domain name baways.com as well as the drop server path. “
When And Where Did The Experts Find The Malicious Script?
After the experts had analyzed all the loaded scripts in the website they have noticed some changes in the Modernize JavaScript Library as the attackers have added some lines of code at the bottom of the library to avoid causing harm to the script and the JavaScript library was modified on Aug 21st 20:49 GMT.
The malicious script was loaded from the baggage claim information page on the British Airways website. The code attached by the threat actors sends the payment information to the attacker’s server when the customer enters his payment credentials in the British Airways webpage.
The information stolen from the British Airways was sent in the form of JSON to a server running on baways.com that matches the legitimate domain used by the airline. At the time it is still unclear how MageCart managed to inject the malicious code in the British Airways website.
Take your time to comment on this article.