Last week, British Airways revealed that all the payment information processed through the airline's website and mobile app between August 21 and September 5 had been exposed. As many as 38,000 British Airways customers may have had their contact and financial information stolen in the breach, which evidence suggests was the result of malicious JavaScript code planted within British Airway's website.

According to a report by RiskIQ's Head Researcher Yonathan Klijnsma published Tuesday, RiskIQ detected the use of a script associated with a "threat group" RiskIQ calls Magecart. the same set of actors believed to be behind a recent credit card breach at Ticketmaster UK. While the Ticketmaster UK breach was the result of JavaScript being injected through a third-party service used by the Ticketmaster website, the British Airways breach was actually the result of a compromise of BA's own Web server, according to the RiskIQ analysis.

"This attack is a highly targeted approach compared to what we’ve seen in the past with the Magecart skimmer,” said Klijnsma. "This skimmer is attuned to how British Airways’ payment page is set up, which tells us that the attackers carefully considered how to target this site in particular."

The suspect scripts were detected based on a daily crawl of websites conducted by RiskIQ, which gathers data on more than two billion pages a day. Focusing on how the scripts on the BA site changed over time, the RiskIQ researchers found a modified script within the BA site. Code added to a JavaScript library utilized by the BA site called an API on a malicious Web server at baways.com—a virtual private server hosted by a provider in Lithuania, using a TS certificate registered through Comodo (apparently to raise its appearance of legitimacy) on August 15.

The 22 lines of code are targeted to export the data entered in the BA website's payment form to the malicious server when the "submit" button was clicked by a customer, with the data being sent as a JSON object. As a result, the transaction would go through for the customer without any errors, while the attackers received a full copy of the customer's payment information despite the payment apparently being over a secure session. The attackers also added a "touchend" callback to the script, which made the attack functional for users of BA's mobile app—which called the same, modified script.

While the modified script file's timestamp matches with the beginning of the attack reported by British Airways, the registration date for the malicious site's certificate, Klijnsma said, "indicates [the attackers] likely had access to the British Airways site before the reported start date of the attack on August 21st—possibly long before. Without visibility into its Internet-facing web assets, British Airways were not able to detect this compromise before it was too late."

British Airways would not comment on the RiskIQ report, as a criminal investigation is still underway.