British Airways admitted last week that the personal data and credit card information of 380,000 customers had been stolen from its site over a period of 15 days, from August 21 to September 5.
The announcement made a lot of noise, because it is surprising that such a large airline company was caught. Looking at it more closely, it might not have been a classic attack.
What is Magecart? It is a Trojan horse that specializes in interception of banking data, in the form of a script which, once integrated, will search for credit card information entered on the compromised web pages. This type of web page compromise has already been seen a few weeks ago, at TicketMaster for example, or more recently still at Feedify (which is not its first compromise). In reality, the activity of Magecart has been monitored since 2016.
For the preceding cases, the pirates were able to inject the code by using a defect at a service provider.
TicketMaster and Feedify are two examples of companies that show that the security of e-commerce sites is far from foolproof.
And yet, the impact of such a compromise is quickly proving to be huge, both in terms of financial loss and of image.
Just remember that the push notification services offered by Feedify concern many web or mobile applications, and are integrated into many online sites such as Big-Commerce, Magento, Opencart, Prestashop, Shopify or even Zencart, not to mention content management systems such as Drupal, Joomla and WordPress…
To get back to the case of British Airways. Here, the injection was carried out directly on the company’s servers and could go unnoticed despite the numerous monitoring systems in place, because the code was customized so as not to resemble any suspicious code seen previously.
Undeniably, we have moved to a higher level of cyberattack. In the investigation that is being conducted, the most recent changes to the pages seem to indicate that the pirates already had access to the system well before the attack. Everything was carefully prepared, discretely, for weeks… The pirates used a domain imitating that of BA (baways.com) and used their infrastructure set up (the deposit server) exclusively for British Airways. They also purchased a SSL certificate, all to appear as legitimate as possible without arousing suspicion… and it worked!
It remains to be seen how the pirates were able to access the files of British Airways’ web servers, to modify the content and add these notorious 22 lines of code that allowed the data to be intercepted. The e-commerce part does not seem to be hosted by a third party, and access to them is rather limited and conventionally secured. If it is not a service provider, it could also be an employee who would have been impersonated.
Indeed, according to “Verizon’s Annual Data Breach Investigations Report”, 81 percent of hacker-related violations use stolen and/or weak passwords. On the other hand, one employee in five communicates his password by email to his colleagues (Switchfast report https://www.zdnet.com/article/one-in-five-employees-share-their-email-password-with-co-workers/).
Consequently, at the source of a highly targeted attack, we often find a theft of credentials, a compromised email account or a simple spear phishing email. As the techniques for impersonation continue to improve, especially by email, spear phishing is becoming increasingly difficult to identify. But most importantly, it is often a harbinger of a future “web-based” cyberattack, which will lead to further data theft and amplify the impact suffered by the targeted company. In the case of British Airways, it is indeed a high-flying attack, carried out in two stages: first a discrete account theft, then an equally silent intrusion on the target site. Association of spear phishing (https://www.vadesecure.com/fr/solutions/anti-spear-phishing/) and malicious code such as Magecart inevitably produce disastrous effects.
And to significantly limit these “web-based” attacks, it is best not to neglect one of its most widespread sources, being identity theft, especially through social engineering techniques fully mastered by the attackers, such as in spear phishing emails (https://www.vadesecure.com/fr/solutions/anti-spear-phishing).