According to a new report from security research firm Symantec, cyber criminals and other hacker syndicates are carrying out “formjacking” attacks at an increasing rate. Thousands of e-commerce sites from around the world have been targeted, including those belonging to Ticketmaster and British Airways. In its report, Symantec says that it blocks an average of 6,368 formjacking attempts daily, making this one of the fastest growing forms of cyber attacks on the Internet right now. At the end of 2018, there was a major uptick in formjacking attempts.
Formjacking as a new attack vector for hackers
Results of the Symantec report on formjacking
The size and extent of the formjacking problem is also worth noting. Over a three-month period at the end of 2018, Symantec was tracking more than 1 million formjacking attempts on over 10,000 websites. The problem was first noticed around August 13 last year. In the period from mid-August to October 1, Symantec tracked over 248,000 attempts at formjacking, and nearly one-third of those attacks occurred within a very narrow window of time – from September 13 to 20. This was the equivalent of a formjacking campaign, as thousands of sites were hit at the same time.
What can be done to prevent formjacking?
Given the extent of the formjacking problem on the Internet, it is perhaps only natural to ask: What can be done to prevent similar types of attacks in the future and to avoid becoming a victim of formjacking? According to Chris Olson, CEO of The Media Trust, there are really only two options available to e-commerce site operators to block threat actors. The first is to check that all web apps or additional code for a website has been developed with adequate attention to both security and privacy. This might include testing any new software updates in small test environments. The second option is to use automated website vulnerability services (or white hat hacker teams) to continually scan a website for potential weaknesses.
The problem, however, is that hackers are getting increasingly sophisticated at pulling off these formjacking attacks and taking steps to avoid detection. For example, in addition to injecting the malicious code that skims the payment and personal information, they are also injecting a secondary piece of code that checks for the presence of debugger tools. If this were a real-world theft scenario, it would be the equivalent of two burglars working in tandem to pull off a heist: while one burglar is grabbing the cash, the other burglar is on the lookout for the arrival of the cops.
As Symantec explains in its report, hackers are “exploring new delivery vehicles” and “continuously altering and improving code.” In layman’s terms, there’s an arms race going on here. At the same time as website operators are doing everything possible to come up with new defensive measures, the black hat hackers are coming up with innovative offensive measures meant to circumvent them.
Implications for e-commerce
In a worst-case scenario, of course, this major uptick in formjacking attacks could have a chilling effect on e-commerce. If customers believe that there is a chance of having their credit card information “skimmed” by cyber thieves, why would they visit a retail e-commerce site? This was one of the issues of the early web, when people were just getting used to purchasing items online: people would only use websites they trusted, or that had special security icons at the bottom of the screen.
And, beyond the world of e-commerce, similar formjacking attempts might be used to disrupt global supply chains. A supply chain attack, for example, might target the B2B commerce sites used by companies to purchase from vendors, suppliers and partners. These attacks, presumably, would involve much larger sums of money and even more details and other information than formjacking attacks carried out on retail e-commerce sites.
On the Internet, buyer beware
Given the increasing sophistication of the hackers carrying out formjacking attacks across the web, perhaps the best advice for Internet users is the following: “Buyer beware.” Realize that cyber criminals can skim your credit card details from forms on the checkout page of an unprotected website the same way they might skim your credit card details at an unprotected ATM. Whenever possible, encrypt or hide any identifying information, and be on the lookout for “typo-squatted” websites (i.e. websites that have almost the same spelling as a more famous website, in order to trick consumers). Going forward, it is becoming highly probable that the ability to guarantee consumers a smooth, seamless and 100 percent safe shopping experience will become a real source of competitive advantage on the Internet.