Formjacking isn’t new to the cybersecurity threat game; however, from mid-August 2018 into early 2019, formjacking incidents have been steadily rising. In a recent cybersecurity threat report, Symantec stated that they blocked more than 3.7 million formjacking attempts in 2018, with more than one million of those formjacking blocks occurring in November and December[ii], thanks to increased online Christmas shopping. According to Symantec’s data, 4818 different websites were plagued with formjacking code every month of 2018. With financial data from one credit card being sold for up to $45 in underground markets, just ten stolen credit cards from websites compromised with formjacking could result in a $2.2 million yield each month for cybercriminals. The financial draw of formjacking for cybercriminals is evident.
A great deal of the formjacking activity has been linked to a group of threat actors named Magecart. Magecart is believed to be comprised of several groups, some in direct competition with each other. Magecart is thought to be behind some high-profile cybersecurity breaches and formjacking attacks including those on British Airways, Ticketmaster and VisionDirect.[iii] The surge in formjacking mirrors the growth in supply chain cybersecurity attacks. Magecart, in some instances, targeted third-party services such as surveys and chats, with the aim of getting its code past less-effective cybersecurity and onto the targeted website. In the cybersecurity breach of Ticketmaster, Magecart compromised a third-party chatbot, which then loaded malicious formjacking code into the guests to Ticketmaster’s website to harvest customers’ payment information.[iv] Supply chain cybersecurity attacks are especially tricky because it doesn’t matter how strong your business’ cybersecurity is if attackers can manipulate other business’ cybersecurity with access to your network. Using smaller businesses with less robust and sophisticated cybersecurity systems to breach a bigger fish’s website is becoming a norm. “They like the low and slow approach,” said Kevin Haley, Director of Product Management for Security Response at Symantec.[v] Left out of the news are the small and medium-sized online retailers that Symantec found to have formjacking code embedded onto their websites, and the smaller businesses that were part of the supply chain. Formjacking isn’t just a big business problem, but a global cybersecurity problem that can affect any company with an e-commerce presence.
Cybersecurity 101: Keeping your form or your data from getting jacked
Greg Clark, CEO of Symantec, said, “Formjacking represents a serious threat for both businesses and consumers. Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft.”[vii] Symantec claims that in 2018 it blocked over 3.7-million formjacking attempts. Approximately one in 40 of the blocked formjacking attempts targeted Canadians.[viii]
How do users protect themselves?
The best way to prevent your personal and financial data from being lifted in a formjacking scam is to apply the same cybersecurity rules you would to other scams. Top of that list is installing antivirus software and ensuring all cybersecurity patches are updated. Also, it is vital that you never complete financial transactions on unfamiliar devices or while using public Wi-Fi.
Haley said that really “It’s up to the website owners to protect against this threat.”[ix]
How do businesses protect themselves?
Because many of these attacks go through third-party applications, it’s essential to have a good relationship with the software supplier and understand their cybersecurity vulnerabilities. Haley advises that you “test updates before using them” and “scan your websites looking for unexpected code.”[x] It is vital that you have cybersecurity tools in place that allow you to lock down your website and cybersecurity tools that will alert your IT department if there are any changes to your e-commerce pages. Cybersecurity tools that lock and alert are of greater significance if your e-commerce pages interact with any other website for financial processing tasks. You need to ensure that both your website and any third-party websites your code is communicating with are clear of any malicious code. One way of combatting formjacking is to use Subresource Integrity tags, that allow your browser to verify that information they fetch is delivered without unexpected manipulation. It works by providing a cryptographic hash that a resource much match.
Using your cybersecurity tools, you should also monitor your outbound traffic. You may not be able to determine if the traffic-flow from the formjacking software is malicious. However, using your cybersecurity tools, you would be able to tell if it’s being redirected to somewhere it is not supposed to go. If the cybersecurity tools alert you to suspicious traffic, that’s a sign you need to evaluate your website for malicious code. Any form can be compromised, so beyond credit card payment forms, you need to be wary of online loan application, tax, or health forms that may have sensitive data attractive to cybercriminals. It is vital that any online business presence that collects personal or financial data via a form take cybersecurity precautions and use proper cybersecurity tools to protect against formjacking. If your customers get formjacked on your website, and you’ve not taken adequate cybersecurity measures to protect against it, then your company will lose customers, revenue and reputation. Talk to an ISA cybersecurity specialist to ensure your company’s cybersecurity tools are protecting your online forms from falling victim to formjacking.