With cryptocurrency value wildly fluctuating, cybercriminals are moving away from cryptojacking and ransomware and finding new ways to make a quick and dirty dollar. Their current scam of choice is formjacking. Formjacking involves the malicious use of JavaScript code to steal financial and personal data, most notably credit card numbers, from payment forms on e-commerce website checkout pages. The cybercriminal implants a small piece of code onto a website checkout then sits back and waits. Director of Product Marketing for Symantec Americas, Robert Arandjelovic, describes formjacking as the digital equal to placing a skimming device on an ATM to read a debit card’s numbers. “Formjacking is effectively, a remote, web-based version of that,” Arandjelovic explained.[i]
Formjacking isn’t new to the cybersecurity threat game; however, from mid-August 2018 into early 2019, formjacking incidents have been steadily rising. In a recent cybersecurity threat report, Symantec stated that they blocked more than 3.7 million formjacking attempts in 2018, with more than one million of those formjacking blocks occurring in November and December[ii], thanks to increased online Christmas shopping. According to Symantec’s data, 4818 different websites were plagued with formjacking code every month of 2018. With financial data from one credit card being sold for up to $45 in underground markets, just ten stolen credit cards from websites compromised with formjacking could result in a $2.2 million yield each month for cybercriminals. The financial draw of formjacking for cybercriminals is evident.
A great deal of the formjacking activity has been linked to a group of threat actors named Magecart. Magecart is believed to be comprised of several groups, some in direct competition with each other. Magecart is thought to be behind some high-profile cybersecurity breaches and formjacking attacks including those on British Airways, Ticketmaster and VisionDirect.[iii] The surge in formjacking mirrors the growth in supply chain cybersecurity attacks. Magecart, in some instances, targeted third-party services such as surveys and chats, with the aim of getting its code past less-effective cybersecurity and onto the targeted website. In the cybersecurity breach of Ticketmaster, Magecart compromised a third-party chatbot, which then loaded malicious formjacking code into the guests to Ticketmaster’s website to harvest customers’ payment information.[iv] Supply chain cybersecurity attacks are especially tricky because it doesn’t matter how strong your business’ cybersecurity is if attackers can manipulate other business’ cybersecurity with access to your network. Using smaller businesses with less robust and sophisticated cybersecurity systems to breach a bigger fish’s website is becoming a norm. “They like the low and slow approach,” said Kevin Haley, Director of Product Management for Security Response at Symantec.[v] Left out of the news are the small and medium-sized online retailers that Symantec found to have formjacking code embedded onto their websites, and the smaller businesses that were part of the supply chain. Formjacking isn’t just a big business problem, but a global cybersecurity problem that can affect any company with an e-commerce presence.
When a customer keys their personal and credit card data onto a compromised e-commerce site, the malicious JavaScript code that’s corrupted the site collects all of the information entered. The users’ credit card data, name and address are then siphoned off to the cybercriminal’s server. The cybercriminal can then either perform credit card fraud with the information or sell the information on the dark web. Unlike cryptojacking, which slows down devices to the extent that consumers recognize that there is a problem, formjacking is virtually impossible to detect until the credit card statement comes or the bank calls. “What makes this really scalable is that nothing is actually impacting the computers. The bad guys are actually finding a way to infect the website itself,” Arandjelovic explained.[vi]
Cybersecurity 101: Keeping your form or your data from getting jacked
Greg Clark, CEO of Symantec, said, “Formjacking represents a serious threat for both businesses and consumers. Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft.”[vii] Symantec claims that in 2018 it blocked over 3.7-million formjacking attempts. Approximately one in 40 of the blocked formjacking attempts targeted Canadians.[viii]
How do users protect themselves?
The best way to prevent your personal and financial data from being lifted in a formjacking scam is to apply the same cybersecurity rules you would to other scams. Top of that list is installing antivirus software and ensuring all cybersecurity patches are updated. Also, it is vital that you never complete financial transactions on unfamiliar devices or while using public Wi-Fi.
If you understand HTML, JavaScript, and other programming languages, then you can always evaluate the code on an e-commerce website. Open your browser, then click on a page and choose “View Page Source.” You may be able to locate instructions to read and redirect form data to a remote server. However, it’s unlikely you’ll find it even if you look. Malware developers are sneaky and have become good at camouflaging malicious code as innocuous.
Haley said that really “It’s up to the website owners to protect against this threat.”[ix]
How do businesses protect themselves?
Because many of these attacks go through third-party applications, it’s essential to have a good relationship with the software supplier and understand their cybersecurity vulnerabilities. Haley advises that you “test updates before using them” and “scan your websites looking for unexpected code.”[x] It is vital that you have cybersecurity tools in place that allow you to lock down your website and cybersecurity tools that will alert your IT department if there are any changes to your e-commerce pages. Cybersecurity tools that lock and alert are of greater significance if your e-commerce pages interact with any other website for financial processing tasks. You need to ensure that both your website and any third-party websites your code is communicating with are clear of any malicious code. One way of combatting formjacking is to use Subresource Integrity tags, that allow your browser to verify that information they fetch is delivered without unexpected manipulation. It works by providing a cryptographic hash that a resource much match.
Using your cybersecurity tools, you should also monitor your outbound traffic. You may not be able to determine if the traffic-flow from the formjacking software is malicious. However, using your cybersecurity tools, you would be able to tell if it’s being redirected to somewhere it is not supposed to go. If the cybersecurity tools alert you to suspicious traffic, that’s a sign you need to evaluate your website for malicious code. Any form can be compromised, so beyond credit card payment forms, you need to be wary of online loan application, tax, or health forms that may have sensitive data attractive to cybercriminals. It is vital that any online business presence that collects personal or financial data via a form take cybersecurity precautions and use proper cybersecurity tools to protect against formjacking. If your customers get formjacked on your website, and you’ve not taken adequate cybersecurity measures to protect against it, then your company will lose customers, revenue and reputation. Talk to an ISA cybersecurity specialist to ensure your company’s cybersecurity tools are protecting your online forms from falling victim to formjacking.