British Airways Site Infected with Card Skimming Code
Security researchers believe the recent data breach announced by British Airways was the result of malicious code being injected into the company’s website to steal information from payment forms.
According to researchers from threat management firm RiskIQ, the group behind the breach is likely Magecart, a cybercriminal group that was also responsible for the breach suffered by Ticketmaster UK in June. Magecart has been operating since at least 2016 and its modus operandi consists of injecting keylogging scripts into websites through either direct compromise or through third-party suppliers.
RiskIQ has identified malicious code associated with Magecart in snapshots of BA’s public website the company had collected in its database. However, the code was not the web skimmer typically used by the group, but a customized one.
The researchers looked at the changes in around 30 scripts loaded from the BA website over time and noticed a recent change in a JavaScript library called Modernizr that was loaded from BA’s baggage claim information page.
“The noted change was at the bottom of the script, a technique we often see when attackers modify JavaScript files to not break functionality,” the researchers said in a blog post. “The small script tag at the bottom immediately raised our suspicions.”
The Last-Modified response headers sent by the website also indicated that the script had been modified Aug. 21, the date when, according to BA, the breach started.
The added code was designed to collect data entered into a form called “paymentForm” and to send to an attacker-controlled server at baways.com. The server was hosted in Romania, but was rented from a virtual private server (VPS) provider from Lithuania called Time4VPS.
“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” the RiskIQ researchers said. “This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”
British Airways said that attackers managed to collect payment card details from around 380,000 transactions made through both its website and mobile app. According to RiskIQ, the reason why mobile app transactions were also affected is that BA’s mobile app loaded pages from the company’s mobile site, including the maliciously modified script.
The installation of keylogging scripts on e-commerce websites to steal payment information is not a new technique. Just recently, a researcher reported that another group managed to compromise over 7,000 Magento-based online shops in this manner, some belonging to multi-million dollar brands.
Adobe Kills Magento’s Bug Bounty Program
Adobe Systems has decided to shut down the bug bounty program for Magento, a popular open-source e-commerce platform that the company acquired in May.
The announcement was posted on Magento’s page at Bugcrowd and specifies that Sept. 15 is the last day when vulnerability submissions will be accepted. After that date, researchers will be able to report new Magento security bugs through Adobe’s consolidated vulnerability disclosure program (VDP) run through HackerOne.
The main difference between the two programs is that Adobe’s VDP does not offer monetary rewards and, some people believe, will attract fewer submissions. Magento’s bug bounty program was set up two years ago following the major Shoplift vulnerability and rewarded researchers between $100 and $10,000 per submission, depending on criticality.
“Sure, although some people will definitely still report their issues to the right people for a chance to gain karma points and improve security, even the most optimistic of us will understand there will be less white hat hackers on the lookout for ways to abuse Magento,” said Folkje Lips from Magento hosting service Hypernode in a blog post. “This will give malicious hackers more possible keys to enter, take over and ultimately rob Magento shops. As MageReport founders we can testify the bug bounty program has been vital for the security of Magento and we profoundly regret this decision.”
UPDATE, Sept. 14: Following criticism from the information security community regarding the decision to terminate the Magento bug bounty program at Bugcrowd, Adobe released an update: “We realize our announcement on September 10 about aligning the Magento bug bounty program to the Adobe vulnerability disclosure program has caused concerns. We want to make it clear that we will carry over the existing bounty payment schedule to newly reported Magento bugs to the Adobe program. We look forward to continuing our collaboration with the security research community to improve the security of the Magento platform.”
Pingback: Online Retailer Newegg Hit by Magecart Card Skimming Gang - Security Boulevard