Details of how the hack was orchestrated have now come to light.
In a blog post RiskIQ researchers
have claimed to have found evidence that a web-based card skimmer script was injected into the BA website, very
similar to theapproach used by theMagecardgroup, who are believed to be behind a similar attack against the Ticketmaster website recently
. Web-based card skimmer script attacks have been occurring since 2015.
Other Researchers have also claimed the BA website wasn’t PCI DSS compliant . Marcus Greenwood found files loaded from 7 external domains onto the BA website, and crucially said the BA payment page wasn’t isolating the card payment entry within an iframe, which would prevent any third-party scripts (and XSS attacks) from being able to read the payment card form fields. T he Payment Card Industry Data Security Standard (PCI DSS) is required by all organisations which
In this case, once the customer has entered their payment card details and then submits the payment either on a PC or on a touchscreen device, the malicious script executes and captures their payment card data, sending it to a virtual (VPS) server hosted in Romania. The server was hosted on a domain called baways.comand was certified (https) by Comodo to make it appear legit within the website html(code). The server domain was registered 6 days before the breach started, this obviously went undetected by BA’s security, perhaps the domain registration could have been picked up by a threat intelligence service.
Other Researchers have also claimed the BA website wasn’t PCI DSS compliant . Marcus Greenwood found files loaded from 7 external domains onto the BA website, and crucially said the BA payment page wasn’t isolating the card payment entry within an iframe, which would prevent any third-party scripts (and XSS attacks) from being able to read the payment card form fields. T he Payment Card Industry Data Security Standard (PCI DSS) is required by all organisations which
accept, process, store and/or transmit debit and credit cards.