{ "id": "6e779caa-ba0d-458a-bb5f-35780e55b830", "created_at": "2026-04-06T00:19:20.508401Z", "updated_at": "2026-04-10T03:24:11.792878Z", "deleted_at": null, "sha1_hash": "99f58a5816fd91834d40d738ecdf0c68b2ae931a", "title": "British Airways Fell Victim To Card Scraping Attack", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3045398, "plain_text": "British Airways Fell Victim To Card Scraping Attack\r\nBy Ionut Ilascu\r\nPublished: 2018-09-11 · Archived: 2026-04-05 14:02:09 UTC\r\nThe recent British Airways data breach affecting 380,000 individuals appears to be the work of a known adversary that\r\ninfects websites with a script designed to collect payment card data.\r\nThe name of the group is MageCart, and the scripts it uses have the same effect as the physical card skimming devices used\r\nby cybercriiminals at ATMs. In a typical attack, the group casts a wide net by compromising commonly used third-party\r\nfunctionality that allows access to hundreds of websites.\r\nBritish Airways was targeted\r\nDigital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card\r\nskimmers since 2016. They are familiar with the threat actor and their skimmer-code and detect it almost on an hourly basis.\r\nhttps://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nWith British Airways, though, MageCart took a targeted approach and customized the script so that did not ring any alarm\r\nbells.\r\n\"This particular skimmer is very much attuned to how British Airway’s payment page is set up, which tells us that the\r\nattackers carefully considered how to target this site instead of blindly injecting the regular\r\nMagecart skimmer,\" RiskIQ says in a report shared with BleepingComputer in advance.\r\nFor this investigation, the researchers identified all the scripts loaded by the air carrier's website and searched for recent\r\nchanges.\r\nThe researchers noticed that the Modernizr JavaScript library had been modified with 22 new lines of code at the bottom, a\r\ntactic often used by attackers to make sure they don't break the functionality of the script.\r\nBritish Airways website loaded the library from the baggage claim information page, and the change made by MageCart\r\nthreat actor allowed Modernizr to send payment information from the customer to the attacker's server.\r\nThe compromised code reacted the same whether the website launched on a computer screen or from the mobile app, since\r\nin both cases the resources for for searching, booking or managing flights were the same.\r\nThe change in the JavaScript library was confirmed by the headers sent by the British Airways server, which indicated\r\nAugust 21, 20:49 GMT as the time and date of the last modification in Modernizr.\r\nIn the statement on the data breach, the airline said the theft occurred between August 21, 22:58 BST, one hour after\r\nMageCart made the change in Modernizr.\r\nAttackers use SSL certificate from Comodo\r\nMore evidence that MageCart prepared for this attack and aimed to keep it active for as long a period as possible is found in\r\nthe infrastructure used for exfiltrating the payment card details.\r\nThe compromised Modernizr script delivered all the data to baways[.]com, which resembles the legitimate domain used by\r\nBritish Airways, and would likely not raise suspicions during a cursory look at the modified library.\r\nRiskIQ also discovered that MageCart purchased an SSL certificate from Comodo, instead of going with the free choice\r\nfrom Let's Encrypt. The reason for this is that a paid certificate is less likely to attract attention.\r\nhttps://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/\r\nPage 3 of 5\n\nWith this attack, MageCart threat actor has stepped up the ladder and showed they are capable of refining its operations,\r\nblending in with the targeted website to maintain their presence.\r\nIt is unclear how MageCart managed to compromise the British Airways website, but RiskIQ says that being able \"to modify\r\na resource for the site tells us the access was substantial.\"\r\nUpdate: Following BleepingComputer's report, Comodo released a statement saying that it revoked the SSL certificate\r\nissued to baways[.]com, the domain used for exfiltrating payment data.\r\n\"Comodo CA had issued the DV certificate in mid-August, 2018, after following all industry standards and Baseline\r\nRequirements from the CA/Browser Forum,\" reads the statement.\r\n\"While Certificate Authorities (CAs) can and must authenticate certificate requesters according to their validation level (EV,\r\nOV, or DV), they are not able to discern the intention of the certificate requester in advance of real-world use,\" the statement\r\ncontinues.\r\nhttps://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/\r\nhttps://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "references": [ "https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/" ], "report_names": [ "british-airways-fell-victim-to-card-scraping-attack" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434760, "ts_updated_at": 1775791451, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99f58a5816fd91834d40d738ecdf0c68b2ae931a.pdf", "text": "https://archive.orkl.eu/99f58a5816fd91834d40d738ecdf0c68b2ae931a.txt", "img": "https://archive.orkl.eu/99f58a5816fd91834d40d738ecdf0c68b2ae931a.jpg" } }