What Happened During the Air Europa Cyber Attack?

More than 100,000 Air Europa customers received a communication from the company a week ago, informing them of a cyber-attack that compromised their data.

“We inform you that a cybersecurity incident was recently detected in one of our systems consisting of a possible unauthorised access to data from your bank card”, the company detailed in the message, as reported by the National Institute of Cybersecurity (INCIBE).

Air Europa specified that the data stolen was the bank card number, as well as the expiry date and CVV of the card. In this way, the company urged its customers to cancel their cards.

“Given the risk of card impersonation and fraud that this incident could pose, and in order to protect your interests, we recommend that you take the following steps: identify the card used to make payment(s) on the Air Europa website; contact your bank; request the cancellation/cancellation/replacement of that card in order to avoid the possible fraudulent use of your information; do not provide personal information, your pin number, name or any other personal data via telephone, message or email, even when they identify themselves as your bank; do not click on links that warn you of fraudulent transactions. Contact your bank directly by verifiable means, and collect any evidence of possible unauthorised use of your card and report it to the State Security Forces”, Air Europa specified in its message.

What happened?

The circumstances of the incident are unclear. “No details of the attack have been provided, so we can only make assumptions about it,” says Josep Albors, director of Research and Awareness at ESET Spain.

“It appears to be a formjacking attack, also known as Magecart – after one of the groups that began to popularise this type of attack – or web skimming,” says Luis Corrons, security evangelist at Avast.

Albors agrees with him. “One hypothesis is that the attackers have used the technique of web skimming, which consists of stealing on the fly the information entered in the fields we fill in, for example, when buying a plane ticket. Criminals manage to modify the source code of the legitimate website to obtain valuable data such as credit card details, which are sent to servers controlled by the attackers,” he specifies.

It recalls that “such an incident happened to British Airways in September 2018, which subsequently led to a fine of £183 million”.

On the other hand, it points out that “another hypothesis, although less likely, is that the attackers managed to gain access to the systems responsible for storing sensitive data such as the credit cards used by customers”.

However, he points out that “compliance with PCI DSS regulations does not allow certain data to be stored, and even less so without encryption, so this type of cyberattack is less likely in this case”.

Raquel Puebla, Cyber Intelligence Analyst at Entelgy Innotec Security, believes that “the action against Air Europa would have consisted of intercepting the banking data of the organisation’s users”.

“It could have been a Man in the Middle type of cyberattack or, in other words, a man-in-the-middle attack, whereby the cybercriminal acquires the ability to position himself between two individuals or entities exchanging messages in order to read or modify them. Thus, there is a possibility that the attackers could have manipulated the DNS records of the payment gateway by creating an intermediary step in which the actor obtains the data of customers trying to make a transaction with Air Europa, which is finally made effective in order to evade suspicion,” he says.

What was the gateway?

It has not yet been revealed how the cybercriminals got in. “We don’t know how they managed to inject the malicious script into the Air Europa website. It could have been a vulnerability, a web administrator account that has been compromised… With this code, every time a user adds his or her data, the external server and thus the cybercriminals also receive it. Could this have been avoided? Perhaps, but it could also be a new vulnerability that currently has no solution. It’s not the most likely scenario, but we can’t rule it out,” says the Avast expert.

As for what could have gone wrong, he believes it could be that “Air Europa did not have some of the latest security patches or software versions installed, that it did not have multiple factor authentication implemented in some services, or a configuration or permissions assignment error”.

In any case, Albors stresses that “it is difficult to point to a specific failure without knowing for sure the method by which the attackers got hold of the data”.

However, he points out that “some of the techniques commonly used include the use of previously stolen credentials or those guessed by brute force attacks, the exploitation of vulnerabilities or even social engineering to gain access to a system within the company’s network and, from there, move through that network to gain access to the target systems”.

Itxaso Reboleiro, cyber-intelligence analyst at Entelgy Innotec Security, also refers to the lack of knowledge of the technical details of the cyber-attack in order to know whether it could have been prevented.

On the assumption that it was due to Man in the Middle techniques with manipulation of DNS servers, as mentioned above, he says that “it is possible that the attackers exploited a known vulnerability in older DNS servers”.

“The gateway would presumably have been the payment gateway system through which customers enter their bank details to purchase a service, which can be accessed from the organisation’s web application, so the cybercriminal would have positioned himself between the system and the DNS server to intercept the information transmitted from one point to the other”.

Who is behind it?

We also do not know who is responsible for this attack. “We don’t know who is behind it right now, but seeing that their objective is to steal credit card data, it is quite clear that they are cybercriminals with a certain amount of experience,” Corrons notes.

In addition, José Carlos Alva, cybersecurity expert at Kyndryl Spain and Portugal, believes that “the main motive is economic, generally sought by a cybercriminal industry that has outsourcing, dedicated staff and even R&D divisions”.

The head of ESET insists that “there are no known motivations or perpetrators for the attack, although one might think, due to the type of data stolen, that the main motive is financial”.

Despite this, Puebla stresses that “there has been no evidence of any actual fraud carried out thanks to the data collected by the cybercriminals, so it cannot be confirmed that the motivation is financial”.

How could Air Europa be harmed?

It is too soon to know how this attack might have affected Air Europa, but cybersecurity experts explain what repercussions such incidents often have for companies.

“Companies can face bankruptcy, loss of reputation or heavy fines from regulatory bodies. However, what most affects the survival of a company in this regard is the loss of customer confidence, causing a loss of marketshare that takes years to recover,” warns the Kyndryl representative.

Similarly, Reboleiro points out that “a successful cyber-attack that compromises customer information with a high frequency leads to a decrease in the organisation’s reputation, given that they place their trust in it to protect their most sensitive data”. In any case, he believes that “Air Europa is acting diligently, so this impact is likely to be minimal.

ESET’s expert also highlights the reputational damage caused by these incidents, but also recalls that there is “the possibility of a financial fine like the one imposed on British Airways a few years ago if it is proven that the necessary measures were not taken to protect the sensitive data of the airline’s customers”.

As noted above, it should be recalled that the British airline was fined £183 million, although this was eventually reduced to £20 million, following the airline’s submissions and taking into account the economic impact of COVID-19 on its business when setting the final penalty.

What should those affected do?

Customers who have been affected by the data theft should follow the instructions provided by Air Europa in its communication. In other words, cancel any credit cards that may have been involved in the incident.

In addition, Albors stresses that “it is highly advisable to review the movements made with these cards before cancelling them”. And if any fraudulent transactions are detected, Corrons stresses that it is necessary to “contact the card issuer and the authorities to file the corresponding complaint”.

On the other hand, the ESET expert indicates that they should “be on the lookout for possible e-mails where criminals impersonate the airline company or their bank and ask for personal information”.

Similarly, Puebla points out that “they should be alert to communications that reach them by any means (text message, email, voice, social networks, etc.), given that possible threat actors could contact them with the aim of carrying out a fraud that affects them, such as, for example, obtaining more information about them and impersonating their identity”.

In line with this, it emphasises that “under no circumstances will banks or companies request any personal or banking data from those affected through unofficial means”.

Adequate response from the airline?

The speed of Air Europa’s response, making the attack known and notifying its customers, is considered positive by the specialists. “The fact of communicating directly with the affected users so that they can cancel their compromised credit cards is appropriate,” says Avast’s security evangelist.

Reboleiro agrees with him. “Air Europa’s response after detecting the security incident has been adequate, even exemplary, as it has complied with the directive to notify those involved within 72 hours of detection of the breach, providing effective recommendations to avoid any impact on them. In addition, it is conducting audits to determine the source of the cyber-attack and address any potential weaknesses in its systems,” he says.

Similarly, the ESET expert believes that “the company has been very transparent in communicating the incident to its customers, indicating the measures to be taken to avoid fraudulent charges on their credit cards”.

In addition, he points out that “some sources indicate that the Spanish Data Protection Agency and INCIBE, among others, have been informed in a timely manner”.

How to prepare?

It is practically impossible to have 100% security guaranteed, but it is worth bearing in mind a series of recommendations to make it more difficult for cybercriminals and to be better prepared for possible attacks.

“Every company’s website should follow strict security protocols. Keeping security patches up to date and reviewing the code for possible vulnerabilities is the first step to avoid falling victim to a cyber-attack. In addition, trusted security software can detect and block malware and identify potential attacks before they have a chance to take place. It is also key to perform regular security audits,” Corrons says.

Puebla notes that “having a correct bastioning of systems and applying daily the security solutions developed for the vulnerabilities that are identified is essential to minimise the possibility of becoming a victim of a successful cyberattack”.

In addition, he notes that “institutions are advised to keep themselves informed and updated on the latest cybersecurity incidents, as well as to raise awareness among the organisation’s employees about cyberthreats involving social engineering components, as these are often common initial access vectors for threat actors”.

Albors stresses that “it is important that organisations adopt measures to help them identify their most valuable data and systems, carry out audits to identify weak points that could become potential entry points for attackers and, based on this information, adopt the necessary security measures”.

Among such measures, he recommends “strengthening user permission and credential policies, implementing measures such as two-factor authentication and the use of VPNs for remote workers; limiting permissions to sensitive data to only those employees who require them; and segmenting the company network so that the compromise of one device in one area does not end up affecting the rest”.

He also points out that “periodic code reviews should be implemented and mechanisms established to detect malicious modifications to web code if we have an online shopping platform, as well as security solutions that allow us to detect possible threats and strange behaviour of applications in all the systems of our network”.

For his part, Alva points out that “it is important for organisations to have adequate operational security”, which means having Endpoint Detection and Response (EDR) systems, Intrusion Detection System (IDS), vulnerability management, crisis management plan, Security Operations Center (SOC), etc.

He also advises “incorporating offensive security, including network team exercises and pentesting”, as well as “having a clear cyber resilience strategy with well-defined data protection mechanisms and recovery strategies for cyber-attacks”.