This article originally appeared in Silicon Angle on September 11, 2018.
The hack of U.K. carrier British Airways last week that affected 380,000 customers has been linked to a notorious hacking gang that was also behind the hack of Ticketmaster Entertainment Inc., according to a new report.
“Developers should determine what is safe user input and reject all others, be they text, JavaScript or any unauthorized code. Website operators should carefully vet third-party web app providers to ensure their products have the right security measures in place.”
The claim Tuesday came from security firm RiskIQ Inc. which link the hacks to a gang it dubs “Magecart” that uses “web-based card skimmers.” That attack method is aimed at skimming e-commerce transactions with the intent of capturing payment card details.
In the case of Magecart, the group “injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites.”
British Airways itself has yet to disclose how the hack occurred, but Ticketmaster did, saying at the time that their hack was the result of “malicious software on a customer support product hosted by an external supplier.”
The report went on to note that Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically to avoid detection for as long as possible, indicating that the group is evolving and has the capability to do so again.
Mike Bittner, digital security and operations manager at The Media Trust, told SiliconANGLE that the hacks of both British Airways and Ticketmaster reveals a failure of some developers and software engineers to integrate security measures in designing web apps, as well as organized cybercriminals continuing to exploit vulnerabilities.
“The tools and techniques to prevent cross-site scripting and SQL injections have been around for a while, but they continue to be ignored,” Bittner said. “Developers should determine what is safe user input and reject all others, be they text, JavaScript or any unauthorized code. Website operators should carefully vet third-party web app providers to ensure their products have the right security measures in place.”
Also, he said, websites should test their web apps to make sure they aren’t vulnerable to attacks involving cross-site scripting or SQL injections. Not least, he added, they should continuously scan their sites to detect unauthorized code.
“Anything less than a proactive, comprehensive approach to securing their sites could amount to infringement of a growing number of consumer data privacy regulations like GDPR,” he said.
