Analysis of British Airways breach uncovers sophisticated techniques
The British Airways breach earlier this year affected around 380,000 customers and resulted in the theft of data including personal and financial details.
The threat research team at Securonix has taken an in-depth look at the breach and the Magecart threat actor behind it, to uncover how it was carried out and offer tips to mitigate and prevent future attacks.
The card skimming campaign used against BA has hit several other major victims this year, including the Ticketmaster and Newegg breaches. It works by installing malicious customized JavaScript on the victim's website. This can be done directly by compromising the victim's site, or indirectly by compromising a third-party component used by the victim -- replacing the original, legitimate JavaScript, with the malicious JavaScript.
In the case of the British Airways attack, Magecart most likely directly targeted the British Airways website content, modifying some of the JavaScript code on the main website instead of utilizing a compromised third-party. Because BA's mobile app also loads a webpage built with the same CSS and JavaScript components as the main website it was compromised too.
The analysis finds that some versions of Magecart include special tripwire code that detects the use of development tools to view the source of the scripts, and reports back the IP address, browser, and timezone as well as some additional information about the system.
The researchers say there are three key monitoring areas that are important to increase chances of detecting similar attacks, namely web server content/FIM, endpoint logs, and SSL/TLS proxy logs. "The first area is important to identify the supply chain attacks and attempts of the malicious threat actor to install the malicious form grabbing JavaScript implant content on the servers, and the other two areas are needed to identify the activity of the implant working within the users' browsers."
You can find out more and download the full report on the Securonix blog.
Image credit: Fasttailwind / Shutterstock