Formjacking: The Online Scam Hidden in Your Website Code

Tech Insights for Professionals

Tech Insights for ProfessionalsThe latest thought leadership articles and reports for IT pros

Tuesday, May 14, 2019

Businesses are tirelessly fighting against the threat of cyber attacks. And while formjacking is not new, the number of incidents has exploded in recent times. So first of all, what is formjacking, and how can you stop it harming your customers?

Article
  • Home
  • IT
  • Security
  • Formjacking: The Online Scam Hidden in Your Website Code

The number and variety of cyber threats faced by businesses is growing all the time, and it can occasionally feel like a big challenge just to keep up with what's out there, let alone actually putting plans in place to deal with what might come tomorrow.

Ransomware, SQL injection attacks, spear-phishing; the list seems endless. But while you should already be aware of some of the more familiar  threats that seek to gain access to your network, how confident are you in the security of your website?

One recent study by Risk Based Security revealed that last year, more than five billion records were stolen in cyber-attacks, with some 6,500 breaches recorded. Of these, 39% of stolen records were the result of web-based leaks, and one of the biggest threats facing websites at the moment is formjacking.

Formjacking: what is it?

Formjacking involves hackers placing malicious JavaScript code into a website - usually an ecommerce site where a user is expected to enter personal details - which can intercept and copy any data that is entered. They can be considered the online version of skimmers that criminals sometimes use to collect credit card details at ATMs, or someone peering over your shoulder and writing down whatever you enter.

The tactic is essentially a three-stage process. Firstly, an attacker gains access to a website's underlying code and inserts the malicious script into a specific web page, which will usually be part of a site's checkout section. Then, when an unsuspecting user visits that page to make a purchase, they enter their details, including financial information.

Finally, when they hit submit, as well as being sent to the merchant's website for processing, an additional copy of the data is created, which goes directly to the hacker. They then end up with everything they need to commit fraud or identity theft, including a person's name, address, contact details and - crucially - full credit card details.

Source: Symantec

A rising threat

While formjacking is not a new threat, the number of incidents has skyrocketed recently. Symantec, for example, noted that its software detected and blocked more than 3.7 million formjacking attempts in 2018, with a third of these occurring in the busy holiday shopping season.

The security firm said this has become the new "get rich quick" scheme for cyber criminals, and conservatively estimated that tens of millions of dollars were stolen in 2018 as a direct result of this activity. It noted that just ten credit cards stolen from each compromised website could result in a yield of up to $2.2 million each month, with a single credit card fetching up to $45 on dark web forums.

One of the biggest reasons for this boom in popularity among hackers is that it gives them easy access to everything they need to steal money in one place. While hacking into a website's database may expose encrypted credit card numbers, formjacking provides full access to more valuable information such as CVV numbers, which are often essential for making online purchases as they normally provide an extra layer of protection.

Most reputable online merchants don't store this information, or at least hold valuable details in separate databases, in order to limit the risk of any potential breach. However formjacking allows hackers to bypass these safeguards by collecting full details at the moment consumers enter them.

Who is being targeted?

One of the most high-profile targets of formjacking in recent times was the hack on British Airways in 2018. The insertion of malicious code on the company's website, thought to have been placed on the site's third-party payment system, went undetected for months and impacted around 380,000 transactions. According to Symantec, this attack alone could therefore have netted the hackers as much as $17 million.

The British Airways incident was thought to be the work of a hacking group called Magecart, which has also targeted other large ecommerce websites including Ticketmaster and Newegg. However, while these larger companies will often make the headlines due to the number of people potentially affected, it doesn’t mean they’ll be the only targets.

In fact, Symantec's research suggested small and medium-sized merchants are just as much at risk, if not more so. During a three-day period last September, it identified 1,000 formjacking attempts across 57 websites, ranging from an Australian fashion retailer to a French outdoor accessories supplier. Therefore, any organization that does business online could be at risk.

How can you spot formjacking?

Another factor that hackers can take advantage of is that formjacking can be very difficult for end-users to spot. While consumers have long been taught to verify the identity of any web page they enter personal details into, and only use those that are certified as secure using HTTPS, a page that has been compromised by formjacking will pass all these checks, so even the most security-conscious shopper can be targeted.

Since an individual is entering their details on a legitimate website, which appears completely unchanged to the end-user, and the retailer is still receiving the correct details unaltered, it is often simply not possible for a customer to tell if the form they're using has been compromised. Therefore, it’s up to merchants themselves to secure their websites.

However, this may be easier said than done. Many larger, more professional formjacking attacks take active steps to evade detection. The Magecart group, for example, set up spoofed web domains designed to look like those of the legitimate company and even purchased paid SSL certificates from Comodo to make them look more like legitimate servers.

What can you do to prevent it?

This doesn’t mean businesses are helpless to prevent formjacking, as there are still steps they can take to reduce their risk. The best solution is to ensure the malicious code can't be added in the first place, so one of the first steps any online merchant should take is to ensure they have an effective, up-to-date intrusion detection and prevention system in place.

This should be able to identify any unauthorized changes to a website's code that can be a telltale sign of a formjacking attack and proactively block the changes. However, it’s not enough just to lock down your own systems, as many formjacking attacks actually originate in third parties, with the software supply chain often used as the primary infection point.

Targeting these firms is particularly useful for hackers that wish to gain access to larger enterprises with advanced security defenses, as smaller suppliers are often smaller companies that don’t have the same security resources as their larger customers, and as such can be a softer target with more potential vulnerabilities.

To counter this, Symantec recommends testing every new update -even the smaller and most legitimate-seeming ones - in test environments or sandboxes  before they are set live in order to spot any odd behavior. This should be supported by ongoing behavior monitoring of all activity on a system, which can also help identify any unwanted patterns and allow firms to block anything suspicious before damage can be done.

With the right defenses in place, you can ensure your website is free from any unwanted code that puts your customers at risk, which is essential for protecting both your revenue and your reputation.

Insights for Professionals provide free access to the latest thought leadership from global brands. We deliver subscriber value by creating and gathering specialist content for senior professionals. To view more IT content, click here.

Comments

Join the conversation...

Back To The Top!