RiskIQ finds malicious code in British Airways website & app

British Airways investigated the theft of customer data of 380,000 passengers. Following this, cybersecurity firm RiskIQ found that malicious code had been planted into British Airways website (ba.com) and app.

RiskIQ established the code on BA’s website was extremely similar to the malicious code found on Ticketmaster’s website, which was embedded by a group dubbed Magecart.

“The same type of attack happened recently when Ticketmaster UK reported a breach, after which RiskIQ found the entire trail of the incident,” explains RiskIQ in its blog post.

“Because we crawl the internet and capture the details of each page, our team was able to expand the timeline and discover more affected websites beyond what was publicly reported.”

According to RiskIQ, Magecart set up custom, targeted infrastructure to blend in with British Airways website to avoid detection for as long as possible.

“While we can never know how much reach the attackers had on the British Airways servers, the fact they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets,” RiskIQ adds.

Researchers from RiskIQ found malicious script consisting of 22 lines of code. The script worked by stealing data from the airline’s online payment form and sending it to hackers’ server once a customer clicked the “submit” button. Here is a cleaned up version of the script:


The cybersecurity company then demonstrated the noted change at the bottom of the script, finding a technique they typically see when attackers are modifying JavaScript files to ensure it doesn’t break the functionality:

“This attack is a simple but highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer which grabbed forms indiscriminately,” continues RiskIQ.

“This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer.”

Attackers were also able to gather data from mobile app users because of the same script being loaded into pages of the airline’s app.

Written by Leah Alger

Related Posts