Laneden - A Cyber-Security Company | Penetration Testing Services | Social Engineering Security Services | Ethical Hacking Services

The Magecart Attack on British Airways

In 2018, British Airways (BA) experienced a significant data breach caused by a Magecart attack. Magecart is a cybercrime group known for skimming payment card data from e-commerce sites by injecting malicious JavaScript code into web pages. Here's a detailed explanation of the attack:

How the Attack Occurred:

1. Compromise of JavaScript Library: The attackers compromised a third-party JavaScript library called Modernizr, which was used by the British Airways website to enhance its functionality.
2. Injection of Malicious Code: The attackers injected malicious JavaScript code into the Modernizr library. This code was designed to intercept payment information entered by customers during the checkout process.
3. Skimming Payment Data: When customers entered their payment details, the malicious script captured this information, including credit card numbers, CVV codes, and other personal information.
4. Data Exfiltration: The captured payment information was then sent to a server controlled by the attackers. This data could be used for fraudulent activities or sold on the dark web.
5. Detection and Response: The breach was detected after a significant number of customers' payment details had been compromised. British Airways took immediate action to remove the malicious code and strengthen its security measures to prevent future incidents.

Impact of the Attack:

• Data Compromised: The attack affected over 380,000 customers who had their personal and financial data stolen.
• Financial Loss: British Airways faced a potential GDPR fine of £20 million ($26 million) by the UK's Information Commissioner's Office (ICO).
• Reputational Damage: The breach resulted in a loss of customer trust and confidence in British Airways' ability to protect sensitive information.

How Content Security Policy (CSP) Could Have Prevented the Attack

Implementing Content Security Policy (CSP) could have potentially mitigated the Magecart attack on British Airways by controlling which external scripts and resources can be loaded and executed on the website. Here’s how CSP could have helped prevent or limit the impact of such an attack:

1. Script Source Whitelisting:
• Preventing Unauthorized Scripts: CSP allows web administrators to specify which sources (domains or servers) are allowed to load scripts on their web pages. By whitelisting only trusted sources for scripts, such as self-hosted scripts and known content delivery networks (CDNs), CSP could have blocked the unauthorized loading of the compromised Modernizr script injected by the attackers.
• Example Directive:

Content-Security-Policy: script-src 'self' https://trusted-cdn.com;

2. Nonce-Based Script Execution:
• Dynamic Script Control: CSP supports the use of nonces (cryptographic tokens) that uniquely identify allowed script sources. Websites generate nonces dynamically for each page load and include them in the CSP header and in the nonce attribute of script tags. This technique ensures that only scripts with matching nonces are executed, effectively blocking any injected scripts that lack the correct nonce.
• Example Directive:

Content-Security-Policy: script-src 'self' 'nonce-{random-nonce}';

3. Strictly Enforced Policies:
• Blocking Inline Scripts and Eval: CSP can enforce policies that prohibit inline scripts and the use of eval() functions in JavaScript code. This prevents attackers from injecting malicious scripts directly into the HTML markup or using dynamic code execution techniques.
• Example Directive:

Content-Security-Policy: script-src 'self'; object-src 'none'; default-src 'self';

4. Reporting and Monitoring:
• Violation Reporting: CSP includes a reporting mechanism (report-uri or report-to directive) that allows web administrators to receive reports about policy violations. This feature helps in identifying attempts to violate the CSP policy, including unauthorized script injections or attempts to load scripts from malicious sources.
• Example Directive:

Content-Security-Policy: script-src 'self'; report-uri /csp-violation-report-endpoint;

5. Upgrade to HTTPS:
• Enforcing HTTPS: CSP can include directives (upgrade-insecure-requests and block-all-mixed-content) to ensure that all resources, including scripts, are loaded over secure HTTPS connections. This helps prevent man-in-the-middle attacks that exploit insecure HTTP connections to inject malicious scripts.
• Example Directive:

Content-Security-Policy: upgrade-insecure-requests;

By implementing CSP with appropriate directives tailored to the specific needs of the website, British Airways could have limited the ability of attackers to inject and execute malicious scripts through compromised third-party resources like the Modernizr library. CSP provides a robust defense mechanism against such attacks by enforcing a strict security policy that controls script execution and resource loading, thereby enhancing the overall security posture of web applications.

Here are the sources for the key facts mentioned in the article about the Magecart attack on British Airways, presented in UK English:

1. Modernizr JavaScript Library: The Magecart attackers used a modified version of the Modernizr JavaScript library to carry out the attack. They added 22 lines of code to this library, which allowed them to capture payment information submitted on the British Airways website and mobile app. The modified script was hosted on the domain baways.com, which was part of infrastructure set up specifically for this attack. Sources:
   • https://www.securityweek.com/british-airways-another-victim-ongoing-magecart-attacks
   • https://www.theregister.com/2018/09/11/british_airways_hack_analysis/
   • https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/
2. Impact and Duration of the Attack: The data breach affected around 380,000 customers who made bookings between 21 August and 5 September 2018. During this period, customer names, postal addresses, email addresses, and credit card information were stolen. The attackers likely had access to British Airways' systems before the attack's reported start date. Sources:
   • https://www.securityweek.com/british-airways-another-victim-ongoing-magecart-attacks
   • https://www.theregister.com/2018/09/11/british_airways_hack_analysis/
3. Magecart's Targeted Approach: Unlike their usual wide-net strategy, Magecart tailored their attack to the specific setup of British Airways' payment page. This targeted approach was designed to avoid detection and blend in with normal payment processing scripts. Sources:
   • https://www.theregister.com/2018/09/11/british_airways_hack_analysis/
   • https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/
4. Fines and Penalties: The UK Information Commissioner’s Office (ICO) initially intended to fine British Airways £183.39 million for GDPR infringements related to the breach. This fine was later reduced to £20 million. British Airways is also facing a £3 billion settlement with victims of the breaches. Source:
   • https://www.reflectiz.com/blog/british-airways-third-party-breach-leads-to-a-230-million-gdpr-fine/

These facts provide a comprehensive overview of the Magecart attack on British Airways, highlighting the methods used by the attackers and the significant impact on the airline and its customers.