Horror Stories – Magecart’s Malicious Skimming Campaign

by Sarah Harvey / October 30th, 2018

In September, British Airways announced that 380,000 transactions were compromised during a breach that took place between August 21 and September 5. Fortunately, no travel or passport details were compromised, but payment information was obtained through digital skimming of the airline’s website and app. The UK’s National Crime Agency, National Cybersecurity Centre, and Information Commissioner’s Office are investigating this incident.

This breach is being linked to Magecart, a threat group that has compromised over 800 e-commerce sites worldwide. As the year goes on, we expect Magecart’s skimming campaign to be recognized as one of the most damaging of all time.

Magecart and British Airways: What Happened?

RiskIQ has linked this attack to Magecart, a threat group orchestrating massive skimming campaigns since 2015. Magecart’s pattern seems to be targeting third-party software companies that build and provide code to their customers who use it on their website or app, then Magecart hackers break in and alter the code so that it impacts every website that the code runs on. In British Airway’s case, many believe that the attack seems more tailored to specifically target British Airways.

The information compromised are names, email addresses, and credit card information. Because the attackers managed to acquire CVV numbers, yet British Airways does not store CVV numbers per the PCI DSS, security researchers believe that these details were intercepted, not taken from a British Airways’ data base.

RiskIQ searched the unique scripts of British Airway’s website and found 22 lines of code added by Magecart; it appeared to be a slightly modified version of their trademark, which is why this hack is being attributed to Magecart. This code is what enabled digital skimming; it recorded customer information, then transmitted it back to the attackers’ server once the customer submitted it. The sophistication of this attack is shown in two ways. First, the attackers had an SSL certificate for their server, which helped to create the assumption of legitimacy and security. Second, this attack was undetected for 15 days. To go that long without anyone noticing shows a mature skill level. RiskIQ also reported, “While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.”

Lessons Learned from Digital Skimming

Discovering an undetected cybersecurity attack must have been a complete nightmare for the airline. Prevention, monitoring, and detection methods must work together to protect organizations. Time and time again, the PCI DSS requires an implemented methodology for preventing, monitoring, and detecting threats because it’s just that crucial to the protection of data.

From other Magecart victims, we’ve seen their pattern of compromising vendors. The importance of vendor compliance management cannot be overstated. In TicketMaster’s recent breach, a customer support chatbot vendor was the key Magecart needed to compromise their website. You’re putting a great deal of control and responsibility into vendor’s hands and they must take that responsibility seriously. Perform your due diligence to ensure your vendors are committed to information security and cybersecurity.