Last year, as most people were stuck at home, many of us became even more dependent on e-commerce sites than we were already. Unfortunately, that includes cybercriminals too.
In 2020, scams targeting the checkout forms of online retailers rose by 20%, according to reports. That sort of threat is called a formjacking attack, and while it’s not new — and not limited to just e-commerce sites — formjacking attacks can be a big problem for any organization that uses any sort of form on their site.
What is formjacking?
A formjacking attack occurs when cybercriminals inject malicious JavaScript code into an online form. This sort of attack hijacks the form and uses the website’s form page to collect the information that’s being entered by actual users. Often, the form in question is a payment page because that’s where customers enter their payment information, like credit card numbers and other sensitive information. The code then forwards that information to the attacker.
However, formjacking can be used on any other form that might collect the sort of data a criminal would like access to — formjacking attacks have targeted healthcare organizations and municipalities, for example.
This is often a tactic employed by criminals who target third parties — it’s part of a series of tactics called supply chain attacks because the criminal might be stealing your customer’s credit card data, but they’re attacking the form used by your supplier: your payment processor. They use that third party’s vulnerability to steal your data.
Formjacking goes by a few other names as well. Because formjacking attacks “skim” data from the forms that have been hacked, these sorts of attacks are also called web skimming attacks and digital skimming. You’ll also see the name Magecart associated with formjacking attacks.
What is magecart?
Magecart is a consortium of cybercriminal groups that specialize in attacking online shopping cart systems to steal credit card information. They get their name from the Magento system, which they’re known for attacking, and have been around since at least 2015. Magecart is well known for several well-publicized attacks on companies including British Airways, Topps, Ticketmaster, Forbes, the Atlanta Hawks, and hundreds of college campus bookstores.
Can you prevent formjacking attacks?
Let’s start with the bad news first: for the most part, you can’t detect a formjacking attack. If your form has been compromised, there are no tell-tale signs. The consumer may not notice until their credit card information has been compromised (and they may not know exactly where their payment information was hijacked.) Your IT department may be able to find an attack by spending hours investigating — but they’d need to suspect a problem first.
There is some good news, however. You can prevent attacks by securing your forms and vetting your vendors.
5 steps to prevent a formjacking attack
There are some steps you can take to keep your forms safe from attack.
- Install antivirus software: Using strong, and recent antivirus software can help protect against some formjacking attacks.
- Vet your vendors: Your third parties are likely to be targets of the attackers. Make sure they’re adhering to best practices by proactively vetting them before you onboard them.
- Run penetration tests and scans: Scan for vulnerabilities so you can find and fix them before a criminal finds them.
- Test your updates: Whenever you update your software, test it to make sure it’s secure.
- Monitor your systems: Continuously monitoring your system for any changes is a way to make sure that everything is running the way it should be and no malicious code is in your system.
How can SecurityScorecard help?
SecurityScorecard’s easy-to-read A-F rating scale makes cross-functional communication easier. Since we continuously monitor for risks and send actionable alerts, IT departments can respond in real-time to new risks.
SecurityScorecard’s ratings provide visibility into ten different groups of risk factors, including IP reputation, endpoint security, network security, web application security, DNS health, patching cadence, hacker chatter, leaked credentials, and social engineering.
IT departments can delve into the individual risk factors to prioritize their activities. Meanwhile, marketing departments can focus on the holistic score that gives them the ability to discuss their commitment to security and privacy meaningfully. Even if you’re not sharing your score, you can still be confident in the truthfulness of your messaging.
