Late last week, word began to circulate in security circles about a new high-profile data breach. Early reports didn’t have the name of the victimized company, but within a few hours British Airways posted a statement on its site saying payment data belonging to 380,000 customers had been stolen via an attack on its website and mobile app. The attack, while highly effective and damaging, was quite simple and appears to be the work of an attack group that’s been operating for three years now, refining its tactics and moving up the food chain to larger and larger targets.
The British Airways breach is unusual in a few respects. While 380,000 victims isn’t a small number, it pales in comparison to breaches at Target or Home Depot or Equifax, all of which affected tens of millions of people. The relatively low number of victims is a good indication that the attackers didn’t have access to any of the airline’s customer databases. Had that been the case, the victim total would’ve likely been far higher. Also, British Airways said that only payments through its main and mobile sites were affected and gave a highly specific timeframe for when the attack was active.
When threat researchers at security firm RiskIQ saw those details they had a good idea not only what had happened but who had done it. For more than three years an attack group known as Magecart has been stealing information from e-commerce sites by injecting scripts into payment forms. The group has been tied to a long list of intrusions, including the breach at Ticketmaster UK earlier this year, but has mostly stuck to smaller targets. Magecart operators typically inject a small script into a portion of a target site that’s collecting payment information, and in the case of British Airways, the attackers put the script in a spot that ensured they would get data from the mobile app as well as the main site.
“It’s pretty common. It’s the smaller shops that usually get hit, but these guys have been figuring out how to play the game so now they’re going after bigger fish,” said Yonathan Klijnsma, head of threat research at RiskIQ, a security company that crawls the web constantly, and author of a report on the BA breach. “They can compromise a third-party provider and get thousands of their clients.”
“They somehow had access to the BA servers and just modified the scripts. It’s a much smoother way to do it. It’s easy money.”
“They go for highly targeted big sites where they know people have high spending limits, like luxury fashion brands. BA is just an extension of that campaign,” Klijnsma said. “They somehow had access to the BA servers and just modified the scripts. It’s a much smoother way to do it. It’s easy money.”
RiskIQ and other security companies have been tracking Magecart for several years, watching the group’s tactics and targets evolve over time. In addition to running the online skimming business, part of the Magecart group also has a credit card dumps shop, a site that sells stolen card data. And there’s also a reshipping network associated with Magecart, a scheme that involves using mules to receive packages--usually full of expensive gear bought with stolen credit cards--and then reship them to addresses outside the United States. It’s a comprehensive business for stealing, moving, and monetizing victims’ payment data, and it’s still not clear where the group came from.
“They might have originated from point-of-sale skimming, I’m not sure. They have a dump shop and the reshipping scam. You don’t just go into that business out of nowhere. These guys have some history somewhere,” Klijnsma said. “They learned it somewhere or did something similar in the past.”
Preventing these kinds of attacks can be difficult for major sites, especially those that have a lot of third-party functionality on them. Magecart and similar groups often will target popular third-party libraries and analytics providers as a way to sweep up a large number of victims in one go. Simplifying the payment form is a good defense in this case, Klijnsma said.
“People need to reconsider how they do online payments. It needs to be more isolated,” he said. “The most secure forms are the simplest. The more external parties you put on your checkout pages, the more risk you have. If you’re including a third party for analytics, you’re expanding your risk profile.”