Facts:
Formjacking happens when cybercriminals use malicious code to hack a website and hijack the site's form page to collect sensitive user information.
This attack is designed to steal credit card details from the checkout pages of websites.
Unfortunately, there is no way for a consumer to detect a formjacking attack while it’s happening, and it’s very difficult for the merchant or payment processor to pick up on.
Previous high-profile formjacking attacks include British Airways, TicketMaster UK, Newegg, Home Depot, and Target.
With just a few lines of code, a hacker can steal hundreds of thousands of credit card details in a matter of days, netting millions of dollars in the process.
A Cautionary Tale
Most criminals use card skimmers — devices hidden within credit card readers at ATMs, fuel pumps, and other machines — to steal payment data. These stolen credentials are later sold online or used by the criminals themselves. But one group, Magecart, has taken this cottage industry online, creating the digital version of credit card skimming by way of formjacking kits.
...and they’re selling these kits to other wannabe hackers, in addition to access to compromised websites — with prices starting as low as $0.50.
In the case of British Airways, Magecart hackers used 22 lines of code to steal 380,000 credit card details, over the course of 15 days. Their profit? Almost $17 million.
To carry out the attack, the cybercriminals set up a custom, targeted infrastructure to blend in with the British Airways website. This way, they could avoid detection for as long as possible. They then placed their malicious code on the British Airways baggage claim information page. Once the code was in place, every time a customer entered their details into the website’s payment form and clicked “submit”, that information was sent to a server controlled by the hackers — without the customer realizing what had happened.
The Larger Scheme At Play
As the name suggests, formjacking occurs when hackers inject code into forms on legitimate websites. This, in turn, causes the page to release confidential information entered into the form, and deliver it directly to the attackers. This tactic can be used for a variety of different purposes, from stealing payment information to obtaining social security numbers — all of which can later be sold on various forums to anyone who wants it.
Source: MakeUseOf
Sadly, formjacking attacks have become a popular threat in the world of ecommerce. As consumers, we often purchase from trusted retailers without giving it a second thought. Or, we might look for a padlock icon to indicate that a site is secure before we submit our payment details. But what happens when a website has been hacked and there are no hints to indicate that anything is amiss?
As consumers wisen up to cons like card skimming at ATMs, scammers have switched over to formjacking as a lower-risk, higher-reward alternative.
Just like a card skimmer, a formjacked website does its dirty work without disrupting the legitimate transaction. As a result, when a customer places an order on a formjacked website, the sale goes through as expected and the data is forwarded to the hackers. This way, the customer has no idea that their information has been stolen until much later, when they are alerted to fraudulent transactions by the bank or credit card company.
How It Works
What’s important to note about this type of attack is that it does not require direct access to the server hosting the website. In many cases, hackers will insert their malicious Javascript code into plug-ins or software that third parties provide to online retailers. By piggybacking on these trusted solutions, cybercriminals can increase the chance that the owners of these online shops won’t bother testing the code for vulnerabilities before going live.
That said, there are a number of ways that malicious code can end up on a webpage:
The creator of an online store might have linked to a library from an untrustworthy source. For example, Mr. Web Developer likes an image carousel he found on my-site.com and decides to link to it directly. Now, the owner of my-site.com can modify that script whenever he wants, potentially adding malicious code.
The creator of an online store might have copied some Javascript from an untrustworthy source. For example, Mr. Web Developer needs a plug-in that will convert Celsius to Fahrenheit. He finds a script on free.javascriptlib.zz which does the job, but he fails to notice the obfuscated malicious code contained in the file.
The end user might sabotage their own security by using an untrustworthy browser extension or bookmark. For example, Alice has added a button to her browser which gives her an emoji keyboard, but this also inserts malicious code into any webpage she uses thereafter.
In other words, all a wannabe formjacker has to do is obtain some malicious code from an online source or write his own, then add it to a commonly-used, widely-distributed software or plug-in. From there, he sits back and waits for hundreds of unsuspecting web developers and ecommerce owners to copy and paste this information into their websites. Now the sites are compromised and his few lines of malicious code will begin collecting information and sending it back to him, in real-time.
Source: Symantec
Meanwhile, on the consumer side:
Shopper A finds a great deal on a pair of shoes online and adds them to her cart.
She clicks on the “checkout” option and enters her credit card and billing details.
When she hits the “submit” button, the malicious Javascript code collects the entered information.
Shopper A’s details are then transferred to the formjacker’s server.
Later on, the formjacker checks this server and sees Shopper A’s details.
He then jumps up and down with glee and starts using the stolen information to shop online or do whatever else he wants.
Meanwhile, Shopper A gets her order confirmation, and the store owner receives the payment for the sale. Neither the shopper nor the owner are aware of any security breach.
Take Steps to Protect Yourself
When a site is infected with formjacking code, there are no telltale signs — such as bogus URLs or non-secure web connections (http versus https) — to indicate foul play. Therefore, the best strategy is to stay vigilant and watch for signs of data compromise.
What this means for consumers:
When making online purchases, avoid using the website’s payment form when possible. This can be done by opting to use services like PayPal instead. Customers who use PayPal to checkout are redirected to the PayPal website when making their online purchases. Because your payment information is entered into a separate website, your information will not be compromised by the formjacking attack. Using mobile payment options like Apple Pay or Google Pay are also helpful in hiding your payment information. Alternatively, you can use a site like privacy.com to generate a unique card number that only works at each individual merchant. This way, if your card number becomes exposed, it can’t be used anywhere else.
If you suspect that you have fallen victim to formjacking, examine your credit card statements carefully each month for transactions you don't recognize. If you see anything suspicious, cancel your card immediately and report the fraud to your bank or credit card company.
What this means for businesses:
Review third party scripts. As previously mentioned, formjacking attacks often target businesses via third party providers. When Ticketmaster was breached in 2018, the attack happened through a third party chat bot used for customer support. Therefore, it’s important for businesses to check that all web apps or additional code for a website has been developed with adequate attention to both security and privacy. Companies should also try to reduce the amount of third-party scripts on their websites and only keep those that are essential.
Conduct a vulnerability assessment (on a regular basis.) Vulnerabilities tend to be discovered only once they start doing damage. Therefore, businesses should opt to use automated website vulnerability services to continually scan their websites for potential weaknesses. This will allow you to detect and address any security gaps or malicious scripts before they become a larger problem.
Final Notes and Updates
Given the extent of formjacking attacks, it’s only natural to ask: What can be done about all of this going forward?
As of right now, there is no ironclad solution. While consumers and businesses can take some action to reduce their risk of exposure, the problem is that hackers will always be one step ahead. Not only are they becoming increasingly sophisticated at pulling off these formjacking attacks, they are also implementing further measures to avoid detection. For example, in addition to injecting malicious card skimming scripts, cybercriminals will often add a secondary piece of code that checks for the presence of debugger tools. In the real world, this is the equivalent of two burglars working together to pull off a heist — where one grabs the cash while the other is on the lookout for the cops.
In other words, this whole thing has become an arms race. While website operators are doing everything possible to create new mechanisms of defense, hackers are circumventing them by using innovative offense strategies.
In the meantime, perhaps the best advice for readers to follow is buyer beware. Realize that cybercriminals can skim your credit card details from forms on the checkout page of any unprotected website...in the same way they might skim your credit card details at an unprotected ATM.
Useful Resources
Inside the Magecart Breach of British Airways:
https://www.riskiq.com/blog/labs/magecart-british-airways-breach
For a safer, more secure way to spend online:
To file a complaint with the FTC:
https://www.consumer.ftc.gov/articles/0275-place-fraud-alert
Editor’s Note: Have you been affected by fraud? Most people have, in some form or another. If you have a story you would like to share, we’re sure our readers would benefit from hearing it. Please send an email to editor@theconartist.pub detailing your experience, and we will be in touch. Your privacy and any wishes of anonymity will be respected.
Thanks for reading! If you haven’t already, consider joining our community to receive in-depth exposés on the latest scams, hoaxes, and other forms of fraud.