Only 22 lines of Java scripts, hackers take 380,000 British Airways credit card customers data

According to RiskIQ report, the data breach incident of British Airways exposed the payment card details of about 380,000 customers, which seems to be a masterpiece of Magecart’s cybercrime group. After an internal investigation into the hacking incident, British Airways disclosed that their mobile applications and their websites were affected, and all paying customers affected during the period from August 21 to September 5.

The British Airways report mentioned that their other services, servers or databases were not affected, which led the security research team to conclude that payment services were the only culprit in data breaches, an area of expertise known to Magecart. It is well known that these scammers use a web-based card picker as a means of stealing credit card payment data, which is an online version of the classic card picker.

After delving into the code injected by cybercriminals on the British Airways website, RiskIQ researchers found that only 22 lines of JavaScript code were the main culprit for British Airways being attacked by the hack, resulting in the theft of 380,000 customer data. The British Airways mobile app was also affected by the changed Modernizr JavaScript library because it invoked the same scripting resources used by the site to allow customers to make payments.

The researchers said that the attack once again showed us the high level of planning and attention to detail of the hacker. This attack is simple and effective. The researchers also found that all stolen data was sent to the badways.com domain on a Romanian server with an IP address of 89.47.162.248, by Lithuania VPS (Virtual Private Server) provider Time4VPS provide.

In addition, in order to make the baways.com domain more credible, the scammer uses a paid SSL certificate issued by COMODO CA instead of purchasing a free version of LetsEncrypt. The recent British Airways data breach shows that Magecart threat actors are still a very active criminal group, and they are said to have started activities in 2015 and successfully attacked targets such as Ticketmaster and Inbenta.