What is Magecart and was it behind the Ticketmaster and BA hacks?

The phenomenally damaging cyberattack on British Airways last week saw the haemorrhaging of information from over 385,000 transactions, credit card and personal details included.

As the dust settles and the company scrambles to carry out damage control, more information is emerging about the identity of the perpetrators – with notorious hacking group Magecart the prime suspect. 

Who is Magecart?

Cyber security firm, RiskIQ has released more details about the BA attack and linked it to Magecart, a hacker group specialising in skimming credit card details from unsecured payment forms on websites.

These ‘digital skimmers’ (that work through code inserted into websites) operate similarly to physical card skimmers that are sometimes inserted into ATMs to lift information from cards and transmit it back to hackers.

These kinds of attacks are known as “cross-site scripting” and exploit weaknesses in the code of the payment processing pages, without necessarily comprising the victim site’s network or server. In the past, these have been targeted towards third party payment processors, but the attack targeted at British Airways was far more tailored to the company’s particular infrastructure – boutique malware, if you will.

According to RiskIQ, this indicates a worrying development in the group’s abilities as it represents a considerable progression from the ‘generic scripts’ they’ve previously adopted.

To identify the attack, RiskIQ trawled through the unique scripts of BA’s website – the ones that would have been targeted in this type of attack – and tracked them until a change was visible – coinciding with the moment that the attack began.

Inserted into the code was 22 lines of code typical of these types of hacking operations. This recorded customer information and then transmitted it to the attackers’ server when the customer pressed the submission button. The attack has been attributed to Magecart as the code used is a slightly adapted version of their trademark script.

Even more cunningly, the attackers paid for an SSL certificate for this server which helps to create the assumption of legitimacy because it means that web encryption is enabled and that data can be protected.

Although the exact details are still unknown, threat researcher Yonathan Klijnsma of RiskIQ said that the attack must have been sophisticated to remain undetected by BA for 15 days.

Magecart rampage: other attacks   

RiskIQ has linked the BA attack to the Ticketmaster breach which took place in June 2018, affecting 40,000 customers, suggesting it’s likely that Magecart was also behind this. 

More recently, following the British Airways attack, push notification service, Feedify, has also reported finding the presence of Magecart malware on its site. This involved a Javascript library hosted by Feedify and used by a range of ecommerce sites.

The code in question is typically embedded to allow customers to leave feedback on sites, however it had been tampered with to include Magecart malware, meaning the customers of a wide range of sites integrating the code could be at risk.

Reportedly, it’s more or less the same script that was embedded into both BA and Ticketmaster sites. Feedify reported that this is the third time in a month that the code has had to be scrubbed, indicating a long-term, persistent attack from Magecart. This demonstrates the risk that companies take embedding third party code into their sites.