Formjacking attacks: An insight on how the attack works and its high-profile retail targets

• Formjacking involves the use of malicious JavaScript code to steal payment card details and other information from payment forms on the checkout web pages of e-commerce websites.
• Formjacking attacks have been used by Magecart threat group against retail e-commerce websites such as Ticketmaster, Newegg, Feedify, British Airways, and more.

Formjacking involves the use of malicious JavaScript code to steal payment card details and other information from payment forms on the checkout web pages of e-commerce websites. Formjacking attacks have been used by Magecart threat group against e-commerce websites such as Ticketmaster, Newegg, Feedify, British Airways, etc.

Formjacking attacks are evolving since August 2018. Researchers detected nearly 250,000 formjacking attempts since mid-August 2018. Researchers from Symantec stated that they are blocking almost 6,368 formjacking attempts every day.

How does Formjacking work?

• Magecart group injects a malicious JavaScript code onto the e-commerce website’s payment forms.
• Once a customer makes payment by entering his/her payment details on an e-commerce website and clicks ‘submit’, the injected malicious code collects all the entered information.
• The collected information includes the customer’s name, address, phone number, email address, and payment card details.
• This collected information is then sent back to the C&C server operated by the attackers.
• Attackers can then use this information to perform payment card fraud or sell these details to other cybercriminals on the dark web.

Who is Magecart group?

Magecart card-skimming threat group is comprised of 12 major cybercriminal groups. All these groups use the same skimmer toolset version, however, they depend on different tactics and techniques.

These threat groups were responsible for attacks against British Airways, Ticketmaster, the National Republican Senate Committee, Cancer Research UK, Feedify, Groopdealz, Everlast, Vision Direct, and Newegg.

What are the two main factors that allow Formjacking attacks?

There are two main factors that make these ‘Formjacking attacks possible’,

• The primary factor is that websites are developed without appropriate security and privacy policies.
• The secondary factor is that large e-commerce companies are not using automated security scanner that scans vulnerabilities.

“There are two main factors that make these attacks possible: first, web apps are being developed without adequate attention to security and privacy, and, second, large companies are not using automated website vulnerability scanners or having white hat hacker teams assess their web app security against these breaches,” Chris Olson, CEO of The Media Trust, said.

How to stay protected from Formjacking attacks?

The websites onto which the malicious script has been injected continues to operate as normal, thus website owners cannot detect such attack attempts. However, they can take a few precautionary steps to stay protected from formjacking attacks such as,

• Test all new updates including the legitimate updates in small test environments or sandbox environments first before updating, in order to detect any suspicious behavior.
• Behavior monitoring of all activities on a system can also help identify any malicious activity.
• Website owners can use appropriate software that scans for potential vulnerabilities.
• Website owners can also use content security policies to prevent any integrated third-party scripts.