Formjacking is a new invisible threat in cyberspace today. The term “Formjacking” is a combination of “online/website form” and “hijacking”. This term brings about the digital version of the well-known skimming by cybercriminals.

Like it sounds, this kind of threat involves a cybercriminal taking over forms on websites by exploiting their security weaknesses. Cybercriminals use lines of malicious JavaScript code on the checkout page forms of eCommerce websites to steal client payment information such as credit card numbers, usernames and passwords, social security numbers among other important/private data. The major aim of formjacking is to harvest as much valuable data as possible that website clients submit via eCommerce forms.

How does this occur?

There are many formjacking vectors that cybercriminals will use to launch attacks to get access to any information that they want, as noted below;

1. Fraudsters prepare card slots at ATMs with their own card reader. The pin code is spied out simultaneously with small cameras. The bank card can be duplicated with the collected data.
2. The user’s payment card data can be trapped when they use the card on an e-commerce payment page that has been injected with a JavaScript code. When the user clicks “submit,” the malicious JavaScript code collects the entered information. This code is injected on eCommerce sites by cyberthreat actors with an aim to collect information such as payment card details, home and business addresses, phone numbers and more. Once the information has been collected, it is then transferred to the attacker’s servers, that is then used for financial gain.

Another menace may happen when the criminals use this data for identity theft or payment card fraud.

Summit’s 2018 project frontline that brings about Cyberspace Security Report, shows that 92% of credential gathering and data exfiltration was achieved from different websites and online forums.

Download and read Project frontline Here.

Notable Examples of Formjacking Attacks that have been successful include British Airways and Ticketmaster attacks that were believed to be perpetrated by Magecart. The British Airways attack resulted in more than 380,000 credit cards being stolen at an estimated loss of $17 million. This is in addition to the record £183 million fine that was levied against the company due to its lack of General Data Protection Regulation (GDPR) compliance. GDPR allows fines of up to 4% of a company’s annual turnover for noncompliance.

Who’s behind the attacks?

Formjacking belongs to man-in-the-middle attacks, in which attackers position themselves unnoticed between the communication partners using malware. But who are the unknowns? Known to be active since 2015, “Magecart” refers to at least seven different hacking groups and has become a household name in recent years as these groups were responsible for the well-known cyberattacks on large companies including British Airways, Ticketmaster, and Newegg.

Magecart attack methods involve browser-based injection of malicious JavaScript code, often well-disguised as a Google tag or other common website analytics code snippet. This malicious code “skims” form entry fields for payment card data, names, addresses, and even personal information or protected health information (PHI)–depending on what type of website is attacked.

Magecart attackers are best known for hacking into Magento shopping cart pages, but they are not limited to just payment card data. Formjacking has been discovered on all types of pages and sites: healthcare sites, login pages, etc.

How can you protect yourself?

1. Online users may fail to detect and prevent formjacking during online shopping because the infected pages look unchanged. It is therefore advisable to restrict purchases to large shops which, in contrast to small e-commerce websites, are equipped with more extensive security systems.
2. Credit cards should also have a second level of defence in the form of 3D Secure in credit card systems. For example, no transaction is possible without a Transaction authentication number (TAN) code sent to user’s smartphone.
3. The responsibility for protecting user’s data against e-skimming attacks lies back to the companies. It is imperative that the company keeps their security systems up to date. This is to focus on keeping entry gates for malware into the system, closed with extensive protective measures.
4. Running vulnerability scanning and penetration testing to identify loopholes or weaknesses in your cyber security defences.
5. Monitoring outbound traffic on your site to be aware of any traffic from your site to another location.