A cyber-security firm has said it found malicious code injected into the British Airways website, which could be the cause of a recent data breach that affected 380,000 transactions.

A RiskIQ researcher analysed code from BA's website and app around the time when the breach began, in late August.

He claimed to have discovered evidence of a "skimming" script designed to steal financial data from online payment forms.

BA said it was unable to comment.

A very similar attack, by a group dubbed Magecart, affected the Ticketmaster website recently, which RiskIQ said it also analysed in depth.

The company said the code found on the BA site was very similar, but appeared to have been modified to suit the way the airline's site had been designed.

• Video: British Airways boss promises compensation
• British Airways hit by 'malicious' data breach

"This particular skimmer is very much attuned to how British Airway's payment page is set up, which tells us that the attackers carefully considered how to target this site instead of blindly injecting the regular Magecart skimmer," the researcher wrote in a report on the findings.

"The infrastructure used in this attack was set up with British Airways in mind and purposely targeted scripts that would blend in with normal payment processing to avoid detection."

Hacks like this make use of an increasingly common phenomenon, in which large websites embed multiple pieces of code from other sources or third-party suppliers.

Such code may be needed to do specific jobs, such as authorise a payment or present ads to the user. But malicious code can be slipped in instead - this is known as a supply chain attack.

In BA's case, hackers stole names, email addresses and credit card details - including the long number, expiry date and the three-digit CVV security code.

"As this is a criminal investigation, we are unable to comment on speculation," said BA in a statement.

A spokesman for the UK's National Crime Agency said it was aware of the RiskIQ report but would not be commenting at this time.

Data grab

RiskIQ said the malicious script consisted of just 22 lines of code. It worked by grabbing data from BA's online payment form and then sending it to the hackers' server once a customer hit the "submit" button.

The cyber-security firm added that the attackers had apparently been able to gather data from mobile app users as well because the same script was found loaded into the app on a page describing government taxes and carrier charges.

"The page [in the app] is built with the same... components as the real website, meaning design and functionality-wise, it's a total match," the RiskIQ report noted.

RiskIQ recommended that BA customers affected by the breach get a new debit or credit card from their bank.

The firm pointed out that whoever was behind the attack had apparently decided to target specific brands and that more breaches of a similar nature were likely.

"There is a very clear emerging risk where the weakest link in payment processes is being actively targeted," cyber-security expert Kevin Beaumont told the BBC.

"And that weakest link in the chain is often by placing older systems or third-party code into the payment chain."

Andrew Dwyer, a cyber-security researcher at the University of Oxford added that the attackers appeared to have gone to "extraordinary lengths" to tailor their code to the BA site.

According to RiskIQ, they also acquired a Secure Socket Layer (SSL) certificate - which suggests to web browsers, not always accurately, that a web page is safe to use.

If this was indeed how the attack worked, he added, there are ways of preventing third-party code taking data from sensitive web pages.

"BA should have been able to see this," he told the BBC.

Bristol Airport has blamed a cyber attack for causing flight display screens to fail for two days.

An airport spokesman said the information screens were taken offline early on Friday to contain an attack similar to so-called "ransomware".

They are now working again at "key locations" including in departures and arrivals, and work is continuing to get the whole site back online.

The spokesman said no "ransom" had been paid to get the systems working again.

Ransomware is a form of malware in which computer viruses threaten to delete files unless a ransom is paid.

Spokesman James Gore said: "We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.

"That was done to contain the problem and avoid any further impact on more critical systems.

"The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport."

Mr Gore said flights were unaffected, but contingency measures and "manual processes", including whiteboards and marker pens, had to be used in place of display screens.

"At no point were any safety or security systems impacted or put at risk."

He said it had taken "longer than people might have expected" to rectify due to a "cautious approach".

"Given the number of safety and security critical systems operating at an airport, we wanted to make sure that the issue with the flight information application that experienced the problem was absolutely resolved before it was put back online."

No flights are understood to have been disrupted as a result.

Amazon is investigating claims that its employees accepted bribes in exchange for leaking confidential sales data.

Independent sellers were also allowed to delete negative reviews and restore banned accounts for payments of between $80 (£61; €69) and $2,000, according to allegations in the Wall Street Journal.

The Journal said the practice was particularly "pronounced in China".

Amazon said it had "zero tolerance" for abuse of its systems and that it was conducting a "thorough investigation".

"We hold our employees to a high ethical standard and anyone in violation of our Code faces discipline, including termination and potential legal and criminal penalties," an Amazon spokesperson said.

They added that the company would also take "swift action" against sellers on its site who had "engaged in this behaviour... including terminating their selling accounts, deleting reviews, withholding funds, and taking legal action".
The Bezos backlash: Is 'big philanthropy' a charade?
World's richest man in $2bn charity move
How Jeff Bezos took Amazon to the top

According to the Wall Street Journal, Amazon's investigation began in May when the firm was tipped off about the practice in China.

The Journal said independent brokers had used Chinese messaging service WeChat to connect independent sellers with Amazon staff.

Around half of the items sold on Amazon now come from third-party sellers, which means the online giant is able to offer a wider variety of items for sale.

Such sellers need to compete with Amazon's own products to get noticed and compete directly with the online giant to get their items higher on search results pages.

Several Final Fantasy games, including VII, IX and X will arrive on the Switch console next year, Nintendo has announced.

The Japanese firm also revealed a number of new Switch games, such as Animal Crossing and the latest in the Luigi's Mansion series.

These would also launch in 2019, according to the company.

One analyst said it suggested Nintendo could have a strong year ahead, after relatively few titles came out in 2018.

Nintendo also unveiled wireless controllers based on the design of those made for the 1980s Nintendo Entertainment System (NES). These will be available exclusively to members of the soon-to-launch digital subscription service, Switch Online.

Image copyrightNINTENDO

Image captionNES controllers first appeared in 1983 - but they are still with us, albeit in an updated form

The service will let users play with friends online and access some older Nintendo titles.

It is due to open on 19 September.

Fees to access Switch Online start at £3.49 or $3.99 for one month, with a full year costing £17.99 or $19.99.

Some of the most significant, newly announced games coming to Switch are:

• Final Fantasy VII, IX, X, X-2, XII: The Zodiac Age and XV Pocket Edition HD
• Yoshi's Crafted World
• Luigi's Mansion 3 (working title)
• Animal Crossing
• Super Mario Bros U Deluxe
• Katamari Damacy Reroll
• Board game titles including Pandemic, Carcassonne and Settlers of Catan

Image copyrightNINTENDO

Image captionFans of Animal Crossing will be pleased to see a new version of the game on the way to Switch

And a character from Animal Crossing, helpful secretary Isabelle, will soon feature in Super Smash Bros - Nintendo's bouncy beat-em up.

Finally, a number of hardware bundles were unveiled for the first time, featuring Switch consoles with game-branded designs.

The Super Smash Bros and Pikachu-themed consoles will be sold with games included.

Image copyrightNINTENDO

Piers Harding-Rolls, a gaming analyst at IHS Markit, said: "2018 has certainly been a bit slower in terms of really top-rated games on [Switch].

"Nintendo is obviously directing a lot of resources at the platform and is setting up for a strong 2019."

• Nintendo Switch gets Fortnite and Super Smash Bros Ultimate
• Pokemon reveals four new games for Nintendo Switch
• Nintendo Switch fuels strong rise in profits

He added that Nintendo would also be looking forward to a successful Christmas period, with Super Smash Bros and the newly announced bundles due to be released before the end of the year.

Switch Online was important to get right, Mr Harding-Rolls said, because it would show that Nintendo could drum up long-term customer investment in the platform via subscriptions.

That could be key for attracting larger game publishers' online titles to Switch, he explained.

North Korea has said that a man charged with hacking Sony Pictures in 2014 is a "non-existent" individual and warned the US that its accusation could have a negative effect on relations between the two countries.

The US Justice Department charged Park Jin-hyok on 6 September with conspiring in "multiple destructive cyber-attacks around the world", including the the 2014 attack on Sony Pictures. It alleged he created the malicious software used to cripple the UK's National Health Service in 2017.

The US Treasury Department also added Mr Park to its list of sanctioned individuals.

He is allegedly linked to Lab 110, one of the North Korean government's hacking organisations, also known as the Lazarus Group. 

A commentary from North Korea's Ministry of Foreign Affairs, published by state news agency KCNA, called the sanctioning of Mr Park a "vicious slander and another smear campaign full of falsehood and fabrication designed to undermine" North Korea.

Image copcontained a portrayal of a naked Kim Jong-un

A 'non-existent entity'

The KCNA commentary said Mr Park "is a non-existent entity, and furthermore, the act of cyber crimes mentioned by the Justice Department has nothing to do with us".

It said the US was "misleading the public opinion... by forcibly linking the non-existent 'offender' and his so-called cyber crimes with our state organs", and called the sanctioning of Korea Expo Joint Venture Company, thought to be a Lab 110 front organisation, a "farce" that was "kicked up" by the US Treasury.  

It went on to say that America should "seriously ponder over the negative consequences of circulating falsehoods", especially in the light of the North Korea-US joint statement following the Kim-Trump summit in June this year, which was meant to build mutual confidence between the two countries.

Despite the North Korean claims that Mr Park does not exist, the FBI has circulated a wanted poster with a photograph of the man they wish to question.

North Korea snipes back

The North Korean Foreign Ministry also criticised America's own actions in cyberspace, saying Washington has a long record of questionable behaviour when it comes to hacking and espionage.

"The US is the chief culprit responsible for posing security threats in cyberspace, and the world vividly remembers the fact that the US was criticised for bugging the cell phones of its ally leaders and launching, without hesitation, cyber-attacks against its allies, let alone its enemies," it said.

"Our State has long made it as its policy to oppose all kinds of cyber-attacks and fully ensure cyber-security, and is taking all steps for its implementation," the KCNA statement continued. 

Suspected acts

North Korea remains the prime suspect for a number of malicious acts, including the theft of $81m from a Bangladesh bank, as well as attacks on South Korean virtual currency exchanges.

It is thought that North Korea-linked hacking groups have been conducting these activities as a means to obtain hard currency for the nation, which has been hit by UN sanctions on its missile and nuclear programmes.

It is highly unlikely that Mr Park will face justice in a US court, with North Korea affairs expert Martyn Williams telling the BBC that the charges are a purely symbolic move, designed to "put meat on the bones" of accusations of North Korean cyber-crimes.r

Mixed messages

The anger towards the United States is curiously timed, as it comes soon after North Korea's Supreme Leader Kim Jong-un reportedly made encouraging statements about denuclearisation of the Korean peninsula.

According to South Korean officials arranging next week's summit meeting between the leaders of North and South Korea, Mr Kim said that he wanted denuclearisation and an end to hostile relations with the United States by the time President Trump's term in office ends in 2021.

However, the week's lag in criticising the US over the hacking allegations is not unusual for Pyongyang, which has just finished a programme of events celebrating the country's 70th anniversary.

Mixed messages such as this are part and parcel of North Korean diplomacy, where a furious outburst can be followed a few days later by conciliatory reports on an entirely different subject.