According to a new report from security research firm Symantec, cyber criminals and other hacker syndicates are carrying out “formjacking” attacks at an increasing rate. Thousands of e-commerce sites from around the world have been targeted, including those belonging to Ticketmaster and British Airways. In its report, Symantec says that it blocks an average of 6,368 formjacking attempts daily, making this one of the fastest growing forms of cyber attacks on the Internet right now. At the end of 2018, there was a major uptick in formjacking attempts.
Formjacking as a new attack vector for hackers
These formjacking attacks are used to steal credit card details and customer data by injecting snippets of malicious JavaScript code into the payment section of an e-commerce website. When users try to complete a purchase on those sites, the data is captured by the code and then sent to servers belonging to the hackers. Once the data has been “skimmed” from an e-commerce site, it can be re-sold on the Dark Web for a profit, or simply used to carry out identity theft or other forms of cyber fraud. Most formjacking attacks will capture all information – including details about the payment card being used for the transaction, the address of the user and even the username of the purchaser – needed to make similar types of purchase around the Web.
Even more disturbingly, says Symantec, these formjacking attacks using JavaScript code to steal data are specifically designed to take place behind the scenes, without either the e-commerce site operator or consumer knowing that user data has just been captured. In other words, if you buying a ticket for an event on Ticketmaster, you would never know that your credit card information had just been skimmed by a formjacking script, and that all information requested at time of checkout had been “skimmed” by unscrupulous hackers.
Results of the Symantec report on formjacking
The size and extent of the formjacking problem is also worth noting. Over a three-month period at the end of 2018, Symantec was tracking more than 1 million formjacking attempts on over 10,000 websites. The problem was first noticed around August 13 last year. In the period from mid-August to October 1, Symantec tracked over 248,000 attempts at formjacking, and nearly one-third of those attacks occurred within a very narrow window of time – from September 13 to 20. This was the equivalent of a formjacking campaign, as thousands of sites were hit at the same time.
Hackers tend to favor online shopping websites that generate a lot of traffic and that also use a lot of code plug-ins or software from outside third-party vendors. This gives them the best chance to insert code to steal credit card data. For example, when carrying out forensics on the Ticketmaster website, Symantec tracked the malicious JavaScript code problem down to a live customer service chat bot created by at third party. Within the hacker world, the “weak link” in any website is generally viewed as the code provided by these third parties. Sometimes, little or no testing is done on this code before it goes live, and that is why so many vulnerabilities exist when users send information from payment forms.
What can be done to prevent formjacking?
Given the extent of the formjacking problem on the Internet, it is perhaps only natural to ask: What can be done to prevent similar types of attacks in the future and to avoid becoming a victim of formjacking? According to Chris Olson, CEO of The Media Trust, there are really only two options available to e-commerce site operators to block threat actors. The first is to check that all web apps or additional code for a website has been developed with adequate attention to both security and privacy. This might include testing any new software updates in small test environments. The second option is to use automated website vulnerability services (or white hat hacker teams) to continually scan a website for potential weaknesses.
The problem, however, is that hackers are getting increasingly sophisticated at pulling off these formjacking attacks and taking steps to avoid detection. For example, in addition to injecting the malicious code that skims the payment and personal information, they are also injecting a secondary piece of code that checks for the presence of debugger tools. If this were a real-world theft scenario, it would be the equivalent of two burglars working in tandem to pull off a heist: while one burglar is grabbing the cash, the other burglar is on the lookout for the arrival of the cops.
As Symantec explains in its report, hackers are “exploring new delivery vehicles” and “continuously altering and improving code.” In layman’s terms, there’s an arms race going on here. At the same time as website operators are doing everything possible to come up with new defensive measures, the black hat hackers are coming up with innovative offensive measures meant to circumvent them.
Implications for e-commerce
In a worst-case scenario, of course, this major uptick in formjacking attacks could have a chilling effect on e-commerce. If customers believe that there is a chance of having their credit card information “skimmed” by cyber thieves, why would they visit a retail e-commerce site? This was one of the issues of the early web, when people were just getting used to purchasing items online: people would only use websites they trusted, or that had special security icons at the bottom of the screen.
And, beyond the world of e-commerce, similar formjacking attempts might be used to disrupt global supply chains. A supply chain attack, for example, might target the B2B commerce sites used by companies to purchase from vendors, suppliers and partners. These attacks, presumably, would involve much larger sums of money and even more details and other information than formjacking attacks carried out on retail e-commerce sites.
On the Internet, buyer beware
Given the increasing sophistication of the hackers carrying out formjacking attacks across the web, perhaps the best advice for Internet users is the following: “Buyer beware.” Realize that cyber criminals can skim your credit card details from forms on the checkout page of an unprotected website the same way they might skim your credit card details at an unprotected ATM. Whenever possible, encrypt or hide any identifying information, and be on the lookout for “typo-squatted” websites (i.e. websites that have almost the same spelling as a more famous website, in order to trick consumers). Going forward, it is becoming highly probable that the ability to guarantee consumers a smooth, seamless and 100 percent safe shopping experience will become a real source of competitive advantage on the Internet.
