Suspect Code that has hacked BA flyers “found”

Getty Images

A cyber-security company says it has found a malicious script injected in the British Airways web site, which could be at the origin of the recent data breach that has affected 380,000 transactions.

A RiskIQ researcher has analyzed the code of BA’s web site and applications around the time when the infringement started, at the end of August.

He claims to have discovered evidence of “cream-skimming” script designed to steal financial data from online forms of payment.

The BBC has contacted BA for comment.

Very similar to the attack, nicknamed Magecart, has affected the site of Ticketmaster recently, RiskIQ said it has also analyzed in depth.

The company said that the code found on the BA site is very similar, but that seems to have been modified to adapt to the way the airline company, the website has been designed.

“This skimmer is very attentive to the way in which British airways payment page is set up, which tells us that the attackers’ carefully considered how to target this site instead of blindly injecting regular Magecart of the skimmer, the researcher wrote in a report on the findings.

“The infrastructure used in this attack has been put in place with British Airways in mind and deliberately targeted scripts that would blend in with the normal processing of payments to avoid detection.”

Hacks like this make use of an increasingly common phenomenon, in which large web sites embed multiple pieces of code from other sources or third party suppliers.

Such a code may be necessary to do specific jobs, such as authorizing a payment or present the ads to the user. But malicious code can be slipped into the place – what is known as a supply chain attack.Data capture

RiskIQ said, the malicious script consisted of only 22 lines of code. He has worked in entering the data of BA’s on-line payment form and send it to hackers ‘ server after a client has hit the “submit”button.

The cyber-security of the company has added that the attackers had apparently been able to collect data on the users of the application as well because the same script has been found loaded into the application on a page describing government taxes and operator charges.

“The page [the application] is built with the same components… like the real website, meaning the design and functionality-wise, it’s a game,” the RiskIQ took note of the report.

RiskIQ recommended that BA customers affected by the breach to get a new debit card or credit card with their bank.

The company emphasized that the one who was behind the attack, had apparently decided to target marks and other offences of the same nature were likely.

“It is very clear on the emerging risks, where the weakest link in the payment process is being actively targeted, and that the weakest link in the chain is often by placing the older systems, or of the third part of the code in the payment chain, the cyber-security expert Kevin Beaumont told the BBC.

More to follow