Security researchers have claimed that the same gang behind the Ticketmaster security breach earlier this year were also responsible for the attack on British Airways, revealed last week.
Furthermore, they have warned that the gang, which targets ecommerce payment pages, is behind attacks on thousands of online retailers going back as far as 2015.
Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites
And Magecart is so prolific that RiskIQ claims that its security network flags up alerts almost every hour highlighting a newly compromised commerce site.
RiskIQ connected the attacks on BA and Ticketmaster by analysing the publicly available information and using that to reference its own logs of billions of web-crawled internet pages.
"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites," claims its research published today.
It continues: "Our first step in linking Magecart to the attack on British Airways was simply going through our Magecart detection hits. Seeing instances of Magecart is so common for us that we get at least hourly alerts for websites getting compromised with their skimmer-code...
Just loading the main British Airways website spins up around 20 different scripts and loading the booking sub-page bumps that to 30
"In the case of the British Airways breach, we had no hits in our blacklist [of] incidents or suspects because the Magecart actors customised their skimmer in this case."
"Just loading the main British Airways website spins up around 20 different scripts and loading the booking sub-page bumps that to 30. While 30 scripts might not sound like much, many of these are ‘minified' scripts spanning thousands of lines of script," continues the research.
The script was loaded from the baggage claim information page on the British Airways website
The malicious script was both simple and effective, according to RiskIQ, targeting the data only when a user clicks to submit a payment. The information from the payment form was extracted along with their name and sent to the attacker's server, claim the researchers.
"This attack is a simple but highly targeted approach compared to what we've seen in the past with the Magecart skimmer, which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway's payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.
The infrastructure used in this attack was set up only with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection."
Last night, we contacted 1,300 customers affected by the British Airways data breach and ordered them new cards as a precaution to protect them from fraud.https://t.co/jwmBUagJIv— Monzo (@monzo) September 7, 2018
RiskIQ claimed that the data was exfiltrated to a server in Romania, belonging to Time4VPS, a virtual private server company based in Lithuania. The attackers also used a paid certificate from Comodo, rather than use a free LetsEncrypt digital certificate for added authenticity.
"What is interesting to note from the certificate the Magecart actors used is that it was issued on 15 August, which indicates they likely had access to the British Airways site before the reported start date of the attack on 21 August - possibly long before. Without visibility into its internet-facing web assets, British Airways was not able to detect this compromise before it was too late."
Without visibility into its internet-facing web assets, British Airways was not able to detect this compromise before it was too late
"Companies, especially those that collect sensitive financial data, must realise that they should [not only] consider the security of their forms, but also the controls that influence what happens to payment information once a customer submits it."
In the case of Ticketmaster, the company was accused of ignoring warnings from start-up bank Monzo. It has proactively cancelled Monzo Bank debit and credit cards used on the BA website around the time of the breach and re-issued new cards to customers.
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago