British Airways and Ticketmaster hacks are the work of the same group




According to an analysis by security company RiskIQ, the same group is behind the hacks on British Airways and Ticketmaster. It would be the so-called Magecart group, which is ready for payment data and other sensitive information.

The company explains the link between the two incidents in an analysis of the scripts on the British Airways site. Normally the company receives a notification when a Magecart script appears on a site that is blacklisted, but in this case it was a modified variant. By investigating the changes on the site, RiskIQ found out that on August 21 of this year an update was made in the Modernizr library for JavaScript on the British Airways page for baggage claims. The script was supplemented with 22 lines of code, which made it possible to steal entered data, according to the security company.

magecart script
The added lines of code after cleaning, image of RiskIQ
These rules code ensured that in certain events the content of the paymentForm and personPaying fields were forwarded to a server that was hosted on the domain. This domain belongs to the attackers and is part of an infrastructure that was specifically set up for British Airways. According to the security company, it was a very targeted attack, in which Magecart did not simply inject its usual skimmer script.

Skimming data was not limited to the airline’s site, claims RiskIQ further. Also in the mobile app there was a malicious page that stole data. The app charges in certain cases the mobile version of the British Airways site instead of using the available APIs. One of these pages, which was about taxes, also contained the adapted script. The attackers would have struggled to make the method work on mobile devices.

RiskIQ suggests that the attackers must have had wide access to the British Airways infrastructure to make their adjustments. In addition, it would be possible that they had access long before the attack began. British Airways announced last week that strangers lost the data from 380,000 customers between August 21 and September 5. This included full names, billing addresses, e-mail addresses and credit card details consisting of numbers, expiration dates and cvv codes. RiskIQ has also published an analysis of the Ticketmaster incident before .


In: A Technology & Gadgets Asked By: [22628 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »