Hacker in front of his computer performing a formjacking attack
Invisible Prying Eyes: Formjacking Goes Mainstream by Robert Arandjelovic, Director of Product Marketing at Symantec Americas

Invisible Prying Eyes: Formjacking Goes Mainstream

The British Airways data breach in September 2018, in which 380,000 customers’ credit card information was stolen, was the result of formjacking: the data was compromised as customers completed the online purchasing process. Now, a major corporation like British Airways is going to be a hard target for attackers. But if cybercriminals knock on the doors of smaller businesses, and gain access to their websites, just ten credit card numbers from each website could result in huge profits, either from selling the information online, or using it to make purchases. It’s all about scale.

A lot of smaller businesses might not be expecting this, or they might think that they’re too small to be noticed by cybercriminals. But that just means that they’re leaving their front doors wide open. The critical moment is when the bad guys inject that little bit of code on a web page that diverts customer information. A lot of cybercriminals are doing this at scale, so your website might end up being just one victim in a multi-million-dollar operation, and even if you only have ten really upset customers, that can still be enough to do serious damage to your reputation.

Formjacking depends on injecting the suspect code into the page on the web server where customers enter their payment information. This is possible due to known vulnerabilities on the server or webpage itself, compromised chatbots or other third-party add-ons to an e-commerce site, or because cybercriminals have gained access to the login credentials of someone in the company, such as the webmaster.

When the end user makes their purchase, and enters their data, they’re doing so on a legitimate webpage belonging to a real business. But because of that little bit of code that’s been added to the page, as soon as the data is entered, it’s not only being sent to the merchant, but also to the bad guys. It’s very subtle, and for most of us, it’s going to be almost impossible to see. It’s not at all like the phishing of the past, where if you pay attention you can avoid the traps. All the preventive tips that we’ve been taught, like not clicking on links and instead going directly to webpages, won’t help against formjacking. It works because you are using the legitimate webpage, and there is no way to tell that it’s been compromised.

If you’re a merchant, there are some things you can do to defend yourself. Make sure that you’ve locked down the security of your web servers, that they’re kept up-to-date so that any operating system vulnerabilities can’t be exploited, that you’ve protected privileged users and their access against being compromised, and that you’ve trained your staff not to give away that privileged access. In addition, running regular code reviews not only helps check for common errors, it’s also a very good way to ensure that no malicious code has been injected.

From a consumer perspective, the one reliable bit of defense we’ve seen to date is having end-point security complete with intrusion prevention system (IPS) technology, which will be able to detect when code or information is being sent somewhere other than the webpage it’s supposed to go to. It won’t always be foolproof, because cybercriminals are always looking to stay one step ahead, but IPS is a mature technology, and endpoint security suites with built-in IPS capabilities have proven to be the most reliable defense against formjacking. This also means that users should restrict their e-commerce activities to devices with endpoint protection capabilities, and avoid using unprotected or untrusted devices such as shared hotel computers, a relative’s PC, or an unsecured mobile device.

In my estimation, formjacking activity is only now hitting its peak. Throughout 2018 we saw a steady growth rate, and there were approximately twice as many attacks in December as in January. There’s also an element of seasonality: when e-commerce sales peak, in the weeks between Black Friday and Christmas, formjacking attacks peaked also. All the current trends suggest that through 2019 and beyond, formjacking is going to be in high use, and may even continue to grow. In the past few years we’ve moved from IT scams to ransomware and cryptojacking. And now that we’ve developed successful defenses against ransomware, and since cryptojacking has become less profitable with cryptocurrencies’ fall in value, formjacking has become the new avenue for online criminal activity. It’s easy to do, it’s scalable, and it’s hard to stop.

With successful defenses against #ransomware, and since cryptojacking has become less profitable, formjacking has become the new avenue for #cybercrime.Click to Tweet

I don’t want to be overly alarmist, but it’s important that people are aware that this is happening, and that there are practical ways to avoid being victimized by it. Finally, it’s vital that all of us—consumers and businesses—ask this question: “Are we making ourselves as safe as possible?”


Affecting an average of 4,800 websites per month, formjacking is one of the newest favourite ways for cyber criminals to steal personal data, according to security company Symantec’s annual Internet Security Threat Report.