Between 21 and 25 August, the British Airways website was compromised and leaked 380 000 customers credit card and personal details to an elite and organized crime unit called Magecart.
Magecart has pulled this hack before in masterfully skilled hacks on Ticketmaster and Newegg. This team uses a sophisticated modus operandi where they inject their own code onto e-commerce websites to skim credit card and personal information into their own database without anyone knowing.
How do they do this
I am sure everyone reading this has heard and seen ATM card skimming scams.
Basically, what happens in these scenarios is that when you insert your bank card into an ATM, a device is placed between your card and the machine which captures your card details.
This device usually is camouflaged and not obvious so you have no idea that those details are being captured or cloned.
The keypad either is monitored by a pinhole camera or is overplayed with another keypad which then captures your pin.
What Magecart did with their hacks is they basically installed these skimmers with a few lines of code onto the web servers of their victims.
How did they get onto the servers is still no clear, but this code could have been done in multiple ways leveraging misconfigurations or even their own 0day exploits.
Insider knowledge
In most cases, the 0day exploit is an exploit that only the hackers have figured out and not shared with anyone which allows them to bypass security and gain access to a server without authentication or credentials.
They are called 0day because they will work until they are patched and they will most likely never be patched until someone else figures it out or shares the exploit on the internet.
The code they used was basic, just 22 lines, but executed brilliantly, and this was important, it needed to be very neat and clean and in no way stand out. They also ensured they used digital certificates and even got the domain name that looked like the British Airways domain so that it would not raise suspicion with https://baways.com
So just like the ATM skimmer, it looked like a normal ATM, it worked like a normal ATM and no one was the wiser.
Can this happen to you?
British Airways and Ticketmaster spend hundreds of thousands if not millions on security annually. They are audited and continually have penetration tests to keep their servers safe and secure. If it happened to them, it most certainly can happen to you.
However, do you manage over a million transactions annually and are you a target is another question. What you spend on your security should balance out on what you make.
How do you prevent these attacks?
Both attacks happened in the same fashion, Magecart compromised access to the webservers. How they did it may not be clear, but lets say that used a 0day which is hard to detect and almost impossible to prevent.
The next step is where they could have done a better job which most certainly could have slowed the attackers.
They could have simply put in place a code change approval and alert process that any changes to a production system need to be approved and flagged.
Had the attacks made the changes with this type of system in place, they would have been found out immediately and the threat stopped.
So in short, Magecart places a card skimmer on the victim’s websites and copied all data to their database without anyone noticing for a while. Get yourself a vulnerability assessment on your line of business systems from our A team Protection today.