What is Formjacking and How Do You Prevent These Attacks?

The number and variety of cyber threats faced by businesses is growing all the time, and it can occasionally feel like a big challenge just to keep up with what's out there, let alone actually putting plans in place to deal with what might come tomorrow.

Ransomware, SQL injection attacks, spear-phishing attacks; the list seems endless. But while you should already be aware of some of the more familiar threats that seek to gain access to your network, how confident are you in the security of your website?

One recent study by Risk Based Security revealed that last year, more than five billion records were stolen in cyber-attacks, with some 6,500 breaches recorded. Of these, 39% of stolen records were the result of web-based leaks, and one of the biggest threats facing websites at the moment is formjacking.

What is formjacking?

Formjacking involves hackers placing malicious JavaScript code into a website - usually an ecommerce site where a user is expected to enter personal details - which can intercept and copy any data that is entered. This type of attack can be considered the online version of card skimmers that criminals sometimes use to collect credit or debit card details such as numbers and security codes at ATMs, or someone peering over your shoulder and writing down whatever you enter.

The tactic is essentially a three-stage process. Firstly, an attacker gains access to a website's underlying code and inserts the malicious script into a specific web page, which will usually be part of a site's checkout section. Then, when an unsuspecting user visits that page to make a purchase, they enter their details, including financial information.

Finally, when they hit submit, as well as being sent to the merchant's website for processing, an additional copy of the data is created, which goes directly to the hacker. They then end up with everything they need to commit fraud or identity theft, including a person's name, address, contact details and - crucially - full payment card details.

Is formjacking a rising threat?

While formjacking is not a new threat, the number of incidents has skyrocketed recently. Symantec, for example, noted that its software detected and blocked more than 3.7 million formjacking attempts in 2018, with a third of these occurring in the busy holiday shopping season.

The security firm said this has become the new "get rich quick" scheme for cyber criminals, and conservatively estimated that tens of millions of dollars were stolen in 2018 as a direct result of this activity. It noted that just ten credit cards stolen from each compromised website could result in a yield of up to $2.2 million each month, with a single credit card fetching up to $45 on dark web forums.

One of the biggest reasons for this boom in popularity among hackers is that it gives them easy access to everything they need to steal money in one place. While hacking into a website's database may expose encrypted credit card numbers, formjacking provides full access to more valuable information such as CVV numbers, which are often essential for making online purchases as they normally provide an extra layer of protection.

Most reputable online merchants don't store this information, or at least hold valuable details in separate databases, in order to limit the risk of any potential breach. However formjacking allows hackers to bypass these safeguards by collecting full details at the moment consumers enter them.

Real-world examples of formjacking attacks

According to research by Tala Security, as many as 99% of the world's most-visited websites could be vulnerable to formjacking attacks due to unsupervised third-party JavaScript integrations. Retailers are often among the more popular targets for formjacking, but any business that has an ecommerce element set up to take online payments may attract the attention of hackers. Indeed, several of the world's most recognizable brands have fallen victim to this.

British Airways

One of the largest formjacking attacks in recent times targeted British Airways (BA). In 2018, the airline's website was compromised by the insertion of malicious code placed in its third-party payment system, which could put anyone making a payment via the site at risk of credit card fraud. The attack went unnoticed for months, impacting around 380,000 transactions and, according to Symantec, could have netted the hackers as much as $17 million.

The damage from this is still being felt today. The firm was initially hit with a £183 million ($252.6 million) fine for the breach by the UK's Information Commissioner's Office under GDPR rules, though this was later reduced to £20 million. However, the airline is now the subject of the UK's largest-ever class-action lawsuit relating to a data breach, which could end up costing the company billions of pounds in compensation.

Ticketmaster

A similar incident to BA's also affected the UK arm of ticketing firm Ticketmaster, which saw up to 40,000 customers affected. In this case, the hackers were able to infiltrate the firm's chatbot - run by a third-party called Inbenta - to skim the credit card information of customers using Ticketmaster's site. Also like BA's, the breach went undetected for months, even after the issue was flagged by digital bank Monzo, which noticed fraudulent transactions on some of its customers' accounts.

Newegg

For online retailer Newegg, the story was almost identical. A month-long formjacking attack was the result of just 15 lines of code injected into its payment systems, which again went unnoticed until third parties raised the alarm. It wasn't revealed how many customers were affected, but given the retailer's site sees around 50 million visitors a month, the number of victims is likely to be high.

First Aid Beauty

These attacks were all traced back to a single hacking group known as Magecart. In 2019, the group was believed to have struck again, this time targeting Proctor & Gamble-owned skincare brand First Aid Beauty. This was reported to be an unusually sophisticated attack, with the malicious code tailored not to run for non-US visitors or users on Linux - which indicates a deliberate attempt to avoid the attention of security researchers who commonly use this platform.

While larger companies will often make the headlines due to the number of people potentially affected, it doesn't mean they'll be the only targets. In fact, Symantec's research suggests small and medium-sized merchants are just as much at risk, if not more so.

For instance, during a three-day period in September 2018, it identified 1,000 formjacking attempts across 57 websites, ranging from an Australian fashion retailer to a French outdoor accessories supplier. This illustrates that any organization that does business online could be at risk.

How can you spot formjacking?

Another factor that hackers can take advantage of is that formjacking can be very difficult for end-users to spot. While consumers have long been taught to verify the identity of any web page they enter personal details into, and only use those that are certified as secure using HTTPS, a page that has been compromised by formjacking will pass all these checks, so even the most security-conscious shopper can be targeted.

Since an individual is entering their details on a legitimate website, which appears completely unchanged to the end-user, and the retailer is still receiving the correct details unaltered, it is often simply not possible for a customer to tell if the form they're using has been compromised. Therefore, it's up to merchants themselves to secure their websites.

However, this may be easier said than done. Many larger, more professional formjacking attacks take active steps to evade detection. The Magecart group, for example, set up spoofed web domains designed to look like those of the legitimate company and even purchased paid SSL certificates from Comodo to make them look more like legitimate servers.

How to prevent formjacking attacks

This doesn't mean businesses are helpless to prevent formjacking, as there are still steps they can take to reduce their risk. Here are a few defenses every business should have in place.

Use effective IDPS solutions

The best solution is to ensure the malicious code can't be added in the first place, so one of the first steps any online merchant should take is to ensure they have an effective, up-to-date intrusion detection and prevention system (IDPS) in place. This should be able to identify any changes to a website's code, which can be a telltale sign of a formjacking attack.

Focus on your supply chain

It's not enough just to lock down your own systems, as many formjacking attacks originate in third parties, with the software supply chain often used as the primary infection point. These supply chain attacks that target target firms are particularly useful for hackers that wish to gain access to larger enterprises with advanced security defenses, as these suppliers are often smaller companies that don't have the same security resources as their larger customers. Therefore, any software delivered from these firms must be closely scrutinized.

Have a Content Security Policy

HTTP directives such as HTTP Content-Security-Policy (CSP) and Subresource Integrity (SRI) can place restrictions on where scripts can be loaded from, what they can do, and where they send data. For example, Symantec notes that with the right policies, a CSP can define a whitelist from which scripts can be loaded and block malicious code from being loaded from remote locations. However, this can cause issues if firms are dependent on third party software.

Test, test, test

Symantec recommends testing every new update - even the smallest and most legitimate-seeming ones - in test environments or sandboxes before they're set live, in order to spot any odd behavior. You can also set up simulated purchases to track interactions and look for suspicious activity, for example.

Keep monitoring

A thorough testing regime should be supported by ongoing behavior monitoring of all activity on a system. This can also help identify any unwanted patterns and allow firms to block anything suspicious before damage can be done. For instance, regularly crawling your website with an automated framework like PhantomJS can identify any unusual activity, such as resources being loaded from new domains.

With the right defenses in place, you can ensure your website is free from any unwanted code that puts your customers at risk, which is essential for protecting both your revenue and your reputation.