BA breach exemplifies ongoing Magecart supply chain attack threat

September 15th, 2023 Posted in evalian® News

It’s been five years since the Magecart supply chain attacks that resulted in the theft of payment card data from an estimated 380,000 British Airways (BA) customers.

The data breach illustrates that both cyber criminals, as well as nation-states, deploy supply chain attacks. The British Airways hack also offers lessons on how to build robust security defences. We take a closer look into what happened and what can be done to defend against these types of attacks.

How did the BA Magecart attack happen? Onboarding

Attackers compromised a BA network account issued to an employee of cargo-handling firm Swissport before planting card-skimming malware on the airline’s payments page.

  • The employee did not use MFA, nor did the airline require it.
  • The threat actors obtained credentials for an administration console that allowed them to edit the JavaScript portions of BA’s website so that data entered into the site was sent to cyber criminals.
  • More specifically, scripts related to the British Airways baggage claim form were hacked so that data was transferred to a hacker-controlled drop site (specifically Baways(dot)com).
  • Cybercriminals bought a digital certificate for the rogue domain in order to give the rogue website a false seal of legitimacy.
  • BA’s Android app was built using the same compromised code base as the airline’s website, leaving mobile users equally at risk.

The data stolen included payment card data (including Card Verification Value codes) and travel booking details as well as customer name and address information. Transactions made between August 21 and September 5, 2018, were particularly at risk.

Under the radar

The attack flew under BA’s radar and persisted for two months before BA was notified of the problem by a security researcher. BA took remedial measures and notified the UK’s data protection watchdog, the Information Commissioner’s Office (ICO).

Biggest ICO fine

ICO investigators faulted BA for multiple failings.

The regulator initially planned to slap BA with an enormous fine of £183m for violations of GDPR data protection regulations in 2019 before levying a much reduced £20m sanction, still the biggest ever fine made by the ICO. The value of the penalty was reduced after taking into account the economic impact of the Covid-19 epidemic.

An ICO investigation found the airline was “processing a significant amount of personal data without adequate security measures in place”.
“This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months,” a ruling by the ICO explains.

ICO investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.

BA was hit by another supply chain attack earlier this year. A SQL injection vulnerability in MOVEIt, a managed file transfer application, was abused to hack into the websites of BA and several other organisations that rely on the technology.

British Airways is yet to respond to queries from Evalian on what lessons it had taken from the attack.

Evolving threat

Similar web-skimming (AKA Magecart) attacks were carried out against event ticketing website Ticketmaster, which resulted in the compromise of 40,000 customer records in June 2018, and online retailer Newegg in September 2018.

The Ticketmaster breach arose after attackers hacked chatbot code from technology firm Inbenta that had been deployed on Ticketmaster’s payment page.

Magecart-style attacks continue to be a problem even though the tactics deployed by cybercriminals are evolving, cyber-security vendor Malwarebytes told Evalian.

“Supply-chain attacks are still the golden goose but we have not seen anything come anywhere close to the British Airways / TicketMaster compromises when it comes to Magecart,” it said.

Malwarebytes added: “From our viewpoint (client-side attacks), we have seen a decrease in overall skimmer attacks. This does not mean the threat is no longer as relevant, but perhaps it has moved server-side or is using more covert methods that are not as likely to be discovered.”

Police in Indonesia arrested three men linked to the Magecart attacks in 2020. The trio were accused of attacks against 12 (mostly European) websites.

The outcome of the cases remains unclear but what is known is that multiple groups have deployed Magecart-style malware in ongoing attacks. So-called web-skimming or form-jacking attacks remain a threat.

Malwarebytes concluded: “Presently, there is an increase in web threats delivering malware payloads over skimmers. There could be many different factors to explain this, all driven by ROI [return on investment] for cybercriminals.”

Defending against Magecart attacks

Defences against Magecart-style attacks include establishing a Content Security Policy on websites run by an organisation as well as auditing domains for JavaScript dependencies and establishing a web application firewall (WAF).

Evalian’s head of cyber resilience, Matt Gerry:

“There’s no one silver bullet to stop such attacks. A proactive defence in-depth approach is your best bet, combining several technical measures. This could be configuring WAF to detect magecart-style attacks, implementing and following secure coding practices, penetration testing your web applications, actively monitoring your environment for anomalous data leaks and making sure your supply chain is doing the same.

Supply chain attacks are an important tool in a cybercriminals arsenal and for obvious reasons. A trusted entity with legitimate access into their target systems, historically under less scrutiny and with weaker security measures in place – What’s not to like?”

Do you want to strengthen your security posture?

If you need support and direction in managing your third-party supply chain,  call us for a no-obligation chat. We have lots of useful resources such as this blog on understanding the importance of supply chain security

We can provide several different solutions that can be tailored to your business to support the management of your supply chain security.

You can also download our free Guide to Supply Chain security here.

Part of our supply chain managed service includes the use of our web application SupplyIQ, which we use to gather information from our client’s suppliers to identify risks and advise the best way forward. Some clients then ask us to work with their third-party suppliers, to advise them on steps required to reduce risks and to monitor their progress.

To learn more, download your free

Guide to Supply Chain Security

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Written by John Leyden

John is a freelance IT security journalist, with more than 20 years’ experience in writing about networking and cyber security.