British Airways Breach Caused By the Same Group That Hit Ticketmaster

An anonymous reader shares a report: A cyber-criminal operation known as Magecart is believed to have been behind the recent card breach announced last week by British Airways. The operation has been active since 2015 when RisqIQ and ClearSky researchers spotted the malware for the first time. The group's regular mode of operation involves hacking into online stores and hiding JavaScript code that steals payment card information entered into store checkout pages, information such as credit card numbers, names, addresses, and whatever is collected via payment forms. The group has been very active in the past three years, being blamed for injecting card skimming scripts on thousands of sites, with the most recent trove of compromised sites being discovered two weeks ago. Of all its hacks, the most notorious incident was when the group compromised a third-party chat provider and used its infrastructure to drop malicious scripts on the Ticketmaster checkout page. [...] In a report published today, researchers at RisqIQ say they found clues linking the same Magecart operation to the British Airways breach. This breach was announced last week when British Airways said that an unidentified hacker compromised its systems and stole the card details of over 380,000 users.

Breach my ass

all aboard, mateys

Caused or believed to have caused?

There is, or was, a difference at one time.

Oh noez de haxx0rs r liek haxxin agin!!!1!

Yay more breathless content-free yabbering by tech-illiterate idjits.

"But that's a tech news site!" you say.

I stand by my assessment, and yes, that's an extra heaping helping of damning on "the industry".

Online card skimming

[DrYak]

Would a lot harder harder to achieve with cards that require a second out-of-band confirmation.

The attacker would still get everything that goes into the checkout form on the attacked website,
but they would lack what goes - e.g. - into the confirmation app on the smartphone.
Thus they couldn't use the data to make purchases on the users' behalf.

On the other hand, this data might be enough to do some social engineering (see customer services that ask last part of card number as a form of identity proof).

Re:Online card skimming

Might work. Because as we all know, phones can't be breached.

Re:Online card skimming

Smartphones themselves are a big security risk, and not everyone has one.

bernie madoff

Is in a 5 star hotel.. I mean prison

What's Jenna Coleman up to?

[Impy+the+Impiuos+Imp]

Stupid Americans and their lazy regulatory government and lax corporations. We Brits have a tight reign on secur...

These attackers are motiviated by opportunity

[gweihir]

Hence while the actual crime was surely committed by them, BA left the barn door wide open for them to waltz in.

Re:These attackers are motiviated by opportunity

[ole_timer]

as does any site that lets scripts be injected...some heads aught to roll over this...

Harder vs impossible

[DrYak]

Because as we all know, phones can't be breached.

Notice how I said harder, not impossible.

Yes, phone can be breached, too. But that suddenly requires a little bit more effort (breaching a completely different device), than simply adding javascript that slurps the content of "buy / checkout" web forms on a compromised web site.

Before :
  - "simply" compromise a single web site and slurp all the credit card info
1 single point to breach.

After :
  - slurp all the credit card info from a single website
  - break the 2 factor authentication (e.g.: smartphone) for every single user whose credit card you intend to abuse.
thousands of points to breach

Oops, things got dramatically more complex.

(Also, the "- e.g. -" meant that the smartphone app was just a possible illustration.
You're free to come up with a more resisting out-of-band confirmation protocol)