British Airways and Ticketmaster hacks are the work of the same group

According to an analysis by security company RiskIQ, the same group is behind the hacks on British Airways and Ticketmaster. It would be the so-called Magecart group, which focuses on payment data and other sensitive information.

The company lays the link between the two incidents in a analysis of the scripts on the British Airways site. Normally the company receives a notification when a Magecart script appears on a site that is blacklisted, but in this case it was a modified variant. By examining the changes on the site, RiskIQ found out that on August 21 of this year an update was made in the Modernizr library for JavaScript on the British Airways page for baggage claims. The script was supplemented with 22 lines of code, which made it possible to steal entered data, according to the security company.

The added lines of code after cleaning, image of RiskIQ These rules code ensured that in certain events the contents of the fields paymentForm and personPaying were forwarded to a server that was hosted on the domain This domain belongs to the attackers and is part of an infrastructure thatwas specifically set up for British Airways. According to the security company it was a very targeted attack, in which Magecart did not just inject its usual skimmer script. skimming of data was not limited to the site of the airline company, claims RiskIQ further . Also in the mobile app there was a malicious page that stole data. The app charges in certain cases the mobile version of the British Airways site instead of using the available APIs. One of these pages, which was about taxes, also contained the adapted script. The attackers would have struggled to make the method work on mobile devices.RiskIQ suggests that the attackers must have had wide access to the British Airways infrastructure to make their adjustments. In addition, it would be possible that they had access long before the attack began. British Airways announced last week that strangers have stolen the data of 380,000 customers between August 21 and September 5. This included full names, billing addresses, e-mail addresses and credit card details consisting of numbers, expiration dates and cvv codes. RiskIQ has also published an analysis of the Ticketmaster incident .