
British Airways: Suspect code that hacked fliers ‘found’ - TomAnthony
https://www.bbc.co.uk/news/technology-45481976
======
jsty
"According to RiskIQ, they even went so far as to acquire a Secure Socket
Layer (SSL) certificate - which suggests to web browsers that a web page is
safe to use."

The BBC's technology reporting usually isn't that bad for a mainstream
audience, but this is just egregious. On the one hand, perpetuating the myth
that "anything I do on this page must be super safe because there's a green
padlock", and on the other completely exaggerating the difficulty of going
HTTPS now we have LetsEncrypt.

~~~
bobthedino
Although this comment in RisqIQ's report
([https://www.riskiq.com/blog/labs/magecart-british-airways-
br...](https://www.riskiq.com/blog/labs/magecart-british-airways-breach/)) is
even worse - it suggests that LetsEncrypt certs are less "legitimate" than
paid ones: "Interestingly, they decided to go with a paid certificate from
Comodo instead of a free LetsEncrypt certificate, likely to make it appear
like a legitimate server"

~~~
tialaramex
After years of watching actual users, my first guesses as to why the crooks
went with a "paid certificate from Comodo" would be:

1\. They genuinely didn't know about Let's Encrypt

2\. Learning some new stuff to get a free cert didn't seem worth it because
they're not paying anyway (at corps this is often because they have a bulk
deal, or there will just be a Purchase Order so it's not their personal credit
card bill, for crooks it's probably someone else's money anyway)

3\. Some minor technical inconvenience made doing the ACME proof of control
validations tricky. For example their DNS provider doesn't implement a sane
API for changing TXT records.

~~~
scandox
Crap DNS not supporting CAAA records can be an issue too

~~~
tialaramex
Good point. Worth spelling out that your DNS doesn't need to understand CAA
records, it merely needs to be able to conform to the obvious requirement that
if you ask it "Hey are there CAA records for this name?" it says "No" rather
than crashing, silently ignoring the question or returning an error
indication.

As usual in DNS this works fine in the Free implementation your OS vendor
included, shame about all the expensive proprietary choices that get this
wrong for every single new record type.

------
ID1452319
What I can't get my head around is how they managed to add their code to the
.js file.

Correct me if I'm wrong, but the file was hosted by BA within their CMS, yet
the attackers were able to update this file to include their 22 lines of code.

Does this mean the attackers had access to the CMS for BA.com or is there a
step I am missing or has been deliberately omitted?

~~~
netsharc
Why "yet"?

I've worked with CMS tools that allow you to add plain HTML blocks, even stuff
inside <script></script>. If their CMS allows this, and some marketing person
had "password123" as their CMS password, and they allow access from the web
(instead of intranet/VPN + 2FA requirements)...

------
raesene9
This is interesting as a lot of initial speculation for this attack focused on
the large amount of 3rd party JS being loaded into the BA payment pages as a
likely source of compromise.

Instead this looks like a fairly well executed "traditional" attack on BAs
CMS/Web server infrastructure.

It's a good example of why even front-end infrastructure components need good
protection...

~~~
tomalpha
The write-up is a little unclear, at least to me. I read it as being that it
_was_ a third-party JS attack. At least of a sort - e.g. a compromised third-
party package downloaded and then used by BA? [0]

[0] [https://cdn.riskiq.com/wp-
content/uploads/2018/09/Webp.net-r...](https://cdn.riskiq.com/wp-
content/uploads/2018/09/Webp.net-resizeimage-22.png)

~~~
raesene9
I took from the article that the attacker had modified an existing copy of the
Modernizr script that BA were running by appending content at the end of it.

The targeting of the attack and the fact that prior to that the file hadn't
changed for 6 years make it unlikely that it was a downloaded copy that had
been backdoored and then installed by BA.

~~~
tomalpha
Thanks, that makes more sense.

------
fabiosussetto
How's that modified modernizerjs script ended up in there? I mean, it must
have been included directly from the BA website? I also wonder how can BA be
so sure about the dates this was stealing payment data, since this was
apparently a frontend attack. Maybe they somehow know when that js script had
been modified?

------
2T1Qka0rEiPr
Both this link, and the technical one posted by @iicc seem really light on
_how_ the infected modernizr got onto their CMS in the first place...

------
JonoW
This is a good advert for using sub-resource integrity
[https://developer.mozilla.org/en-
US/docs/Web/Security/Subres...](https://developer.mozilla.org/en-
US/docs/Web/Security/Subresource_Integrity)

------
gaius
Here’s the thing tho’, BA’s website exists solely to provide information on
and sell their own services. Why is there third-party _anything_ on it in the
first place? Fix that and you’ll fix everything, well almost.

Disclaimer: worked on ba.com in the ‘90’s

~~~
robjan
It's not a third party script. It's a copy of modernizr hosted on their own
server. Someone has either hacked their CMS (Teamsite) or it's an insider.

~~~
PunchTornado
I love it how big companies still use legacy CMS like Teamsite thinking it is
too expensive to move to something modern.

~~~
ams6110
If you have a large customer-facing website retail website, redoing the whole
thing in something "modern" (which will only be "modern" for a year or so) is
actually very expensive. Have you ever migrated a non-trivial website from one
platform to another?

------
bradvl
Marcus Greenwood (Founder of UB.IO) put out some good analysis of this at
[https://medium.com/the-automator/so-about-that-ba-
hack-a82e5...](https://medium.com/the-automator/so-about-that-ba-
hack-a82e5701f095)

And there's more analysis at [http://huagati.blogspot.com/2018/05/things-you-
probably-dont...](http://huagati.blogspot.com/2018/05/things-you-probably-
dont-want-to-do-on.html)

And the fake BAWAYs server is still up -
[https://twitter.com/inventur_es/status/1039519364733497344](https://twitter.com/inventur_es/status/1039519364733497344)

~~~
strictnein
Ehh, Marcus's analysis is off on some of the details and his prediction of a
3rd party JS (which he strangely originally kept referring to as XSS, which
makes me question his thoughts even more) ended up being wrong.

------
onemoresoop
Maybe some sort of one use creditcard numbers should be used so that if
hackers steal them they're worthless, and have a centralized service for
providing those one use generated numbers...

------
planetjones
Why not a quick scan twice a day if all static content looking for ip
addresses and domains against a whitelist of allowed domains? This would have
found the issue same day.

------
danielsamuels
A simple connect-src CSP would have prevented this

------
iicc
better link: [https://www.riskiq.com/blog/labs/magecart-british-airways-
br...](https://www.riskiq.com/blog/labs/magecart-british-airways-breach/)

~~~
raverbashing
Yes it is

And the attackers knew how to use SSL as opposed to some 3DS/VBV "partners"
I've seen in the wild

Excepted for the botched GDPR "agreement" box

------
jspash
Genuine question... Why the scare quotes around the word "found"? I'm assuming
"hacked fliers" refers to the people who had their details stolen. So how
exactly did they "find" the "suspect code"?

English is my first language, but I'm really struggling to grok this headline.

~~~
jackweirdy
From the BBC:

> Quotation marks should be single:

> in headlines and cross-heads (eg: UK ‘to leave EU’); in promo text and for
> quotes within quotes (eg: Tom Bone said: “They say, ‘The Labour Party is
> finished’ before every election”) and inside quote boxes (eg: They sprayed
> ‘go home’ on our front door – Sandra Harris).

> In headlines where the attribution is clear, do not include unnecessary
> quote marks (eg Britain won’t hold referendum, says PM rather than Britain
> "won’t hold referendum", says PM).

> They should be double:

> outside the categories listed above - on the ticker, in regular text,
> summaries and picture captions. Also, at first use of phrases such as “mad
> cow disease” or “road rage”. (But quotation marks will be single if the
> phrase comes inside a direct quotation (eg: The minister said: “The spread
> of ‘mad cow disease’ had ruined thousands of lives.”) Either way, no
> punctuation is required after the first reference.

[https://www.bbc.co.uk/academy/en/articles/art201307021121335...](https://www.bbc.co.uk/academy/en/articles/art20130702112133530)

~~~
jspash
Thanks for the clarification. I've re-read this headline a dozen times and it
finally makes sense.

By removing the phrase "that hacked fliers" you're left with "Suspect code
'found'". Which is the core of the statement. But that doesn't give enough
context so the reference to the fliers was added.

I also think they wanted to lead with "British Airways" so a bit of contortion
was necessary.

------
lozzo
If I had had the developer console open in chrome while going through the
booking, would I have seen in the network tab the posting to baways.com...

I think the answer is yes.

So I wonder why this issue was not reported earlier by some techie guy who's
just booked a flight

