The group behind British Airways and TicketMaster UK hacks
Threats / Magecart: The hacker group behind British Airways, Newegg and TicketMaster hacks
8 October 2018
Back in June, Ticketmaster UK announced that by inserting a malicious software in one of its customer support products, suspected hackers covertly exported personal and financial data of around 5 percent of its customers to a remote server.
Information accessed by hackers using the malicious software included names, addresses, email addresses, telephone numbers, payment details and Ticketmaster login details of around 40,000 Ticketmaster UK customers.
A few weeks later, a similar incident occurred that involved unnamed hackers stealing personal and payment information of around 380,000 people who made bookings and changes between August 21 and September 5 on British Airways’ website and mobile application.
Magecart behind a series of cyber-attacks
According to security firm RiskIQ, both hacking incidents were the work of a single hacker group known as Magecart. Explaining the group’s operating procedure, the firm said:
“Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites. Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of a third-party functionality resulting in a high-profile breach of Ticketmaster customer data. Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK,” the firm revealed.
According to RiskIQ, hackers from Magecart used only 22 lines of script to modify a large number of scripts on the British Airways’ website and then exploited the modifications to extract information from payment forms and transfer such information to their own server. The hackers also used an unique infrastructure to carry out the attack and purposely targeted scripts that would blend in with normal payment processing to avoid detection.
“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately. This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer,” the firm added.
To avoid detection, hackers from Magecart not only used a domain server located in Romania and one that was part of a VPN provider named Time4VPS based in Lithuania, they also used a paid SSL certificate issued by Comodo rather than a free certificate to appear genuine.
Apparently, British Airways wasn’t the last major corporation to fall victim to information-skimming tactics employed by Magecart hackers. Ten days after British Airways announced the breach to the public, RiskIQ concluded that a major data breach suffered by California-based retailer Newegg was also the work of Magecart hackers.
The hackers registered a fake domain called neweggstats.com, blended it in Newegg’s primary domain, and acquired a certificate issued by Comodo to receive skimmed credit card information from Newegg’s website. They followed this up by infiltrating Newegg’s systems and dropping a payment card skimmer code into Newegg’s checkout process.
“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways,” RiskIQ concluded.
According to the firm, Magecart has been active at least since 2015 and constantly targets major companies using tried-and-tested skimming tactics. Aside from British Airways, Newegg, and TicketMasterUK, the group successfully targeted Home Depot and Target as well to obtain payment card information of a large number of people.