Last Thursday, another major breach hit the news, as British Airways announced that its website and mobile application had been compromised by criminals, which resulted in the theft of 380,000 customer transactions details.
The airline discovered that bookings made between August 21 and September 5 had been infiltrated in a “very sophisticated, malicious criminal attack”, with cyber-criminals obtaining names, street names, email addresses, credit card numbers, expiry dates and even security codes. BA reports that only customers who booked travel and made purchases on the BA site or mobile application within that time window were affected by the breach. Thankfully, stored credit card details are not at risk.
Why is this Type of Attack Getting More Popular?
Previously, this data would only have been accessible through endpoint malware infection. However, it’s more advantageous for criminals to compromise servers that can distribute this type of malicious code for them, rather than infect individual endpoints. While servers generally require greater effort to hack than your typical home user’s computer, such intrusions pay far larger dividends because, once compromised, a centralized server can distribute malware to every user of a site.
Modern websites make use of scores – often hundreds – of third-party libraries, and each vulnerability is essentially a hole that can be exploited to expose the website in its entirety. Once the attackers have infiltrated systems controlling third-party libraries they can insert site-specific malware into files containing the functionality BA’s site uses. It’s not so much a trojan horse as a subversion of legitimate functionality. Once the malicious code is merged into the legitimate code it will be served to every visitor of the infected site.
How Exactly Does the Malware Work?
- The current page’s URL is scanned to see if it matches a list of known, interesting patterns, e.g. “order”, or “checkout.”
- Every button, input, form, and submit element in the DOM is enumerated.
- For each of these elements it registers a new event handler. Depending on the element type, different event hooks are registered (e.g. the submit event handler is registered for form elements). However, the event handler function is the same regardless of the event.
- Every 30 seconds this event registration is executed again.
- The event handler, when triggered, creates a URL parameter string from all inputs on the page. This string is then sent as parameters of a POST request to an exfiltration site.
How Can You Protect Against These Types of Attack?
Ultimately, this approach on its own is flawed but businesses have another way to protect their payment pages. Rather than relying completely on the detection of malicious code, businesses can turn the issue on its head by stopping payment information leaving the site. This means, no matter what the method of attack is, the culprits are thwarted and customer data protected – which is the ideal outcome. In today’s digital era, it is not possible to stop all online customers from being attacked, but if the transaction session can be protected, the fraudulent activity can be prevented.
Trusted Knight’s Protector Air does precisely that – it’s a cloud-based solution that is invisible to the end users and stops transactional fraud by securing the transaction stack and therefore ensuring the integrity of every transaction.
Trusted Knight’s patented Protector Air technology would have prevented the BA data loss. Other solutions should detect changes to the payment page, and should have sent alerts indicating these changes, but those alerts would then have to be reviewed and acted upon by already overworked security teams, and still would have been addressed after-the-fact that a breach had taken place. Had Protector Air been in place, this breach would have been automatically prevented, no customer details would have gotten into the hands of criminals, and BA would have saved tens of millions of dollars in hard costs as well as untold losses in brand reputation.