Formjacking has evolved and become stealthier in the last couple of months, where attackers are now injecting malicious codes into websites to steal more than just credit card information. As a continuation from Symantec’s ISTR 24 report, Symantec has launched an in-depth analysis on formjacking attacks that are frequently in the news highlighting how websites and consumers have been affected in the last one year.
In these attacks, cyber criminals find a way to change one of the JavaScript files being loaded as part of the website. This implanted malicious JavaScript code alters the behaviour of the targeted web form or process on the compromised website to surreptitiously steal payment card data and other personal information in the background.
Checkout and payment pages of online retail stores are especially in the crosshairs of attackers, but any profitable data entered by the user into web forms could potentially be stolen. On average, websites compromised in this way stay infected for 46 days.
Symantec has seen a major uptick in formjacking attacks recently, with publicly reported attacks on the websites of companies including Ticketmaster, British Airways, Feedify, and Newegg by a number of groups summarised as Magecart being the most prominent examples.
“Each month we discover thousands of formjacking infected websites, which generate millions of dollars for the cyber criminals” warned Candid Wueest, Principal Threat Researcher at cyber security company Symantec.
Before formjacking became popular, cyber criminals were already targeting e-commerce platforms. However, they were mainly attacking the e-commerce or payment systems directly to steal stored transactions, or they used phishing attacks to redirect customers to fake websites. Formjacking is not just about payment card data but it also is used to steal passwords and other personal data from websites.
Impact and Damage
In a traditional data breach, the motivation of the perpetrator is not always to misuse the data, sometimes they just want to highlight security inadequacies. With formjacking, however, the attacker almost always wants to make a profit from the stolen information. From the user’s perspective, it doesn’t matter if their data gets stolen in a classic data breach or via a web-based formjacking attack, the end result is the same: their personal data has been stolen and might be misused by criminals.
As per the report, India ranks third with 5.7% of global detections. Symantec highlights in the report that they have blocked more than 2.3 million formjacking attacks globally in Q2 of 2019. In the first six months of 2019, users in the US were by far the most exposed to formjacking attacks with 52% of all global attacks, up from 33% in 2018.
With such sophisticated attacks, website owners should be aware that this could generate attached costs for affected organisations resulting from things like customer notification processes and possible fines. In addition to the cost of the data breach, there is also a loss of customer trust and damage to the organisation’s brand reputation. This can be especially devastating for online stores which depend heavily on customer orders.
Protection
“Consumers often don’t notice that they have become a victim to a formjacking attack as it can happen on a trusted online store with the HTTPS padlock intact. Therefore, it is important to have a comprehensive security solution that can protect you against Formjacking attacks, added Wueest.
With sophisticated and stealthy attackers like Magecart, website owners must use several different methods to protect their web presence from formjacking. A baseline standard should be to harden any server or service used for hosting the website. This includes scanning local files for any malicious scripts and implementing change control measures to validate and authorise all changes—similar to classic defacement prevention. They must monitor behaviour of all activity on a system that can also help identify any unwanted patterns and allow you to block a suspicious application before any damage can be done.
Formjacking attacks are increasing in volume. The reason for this is twofold: they are difficult to detect for end users and can be very lucrative for cyber criminals. In addition, the attacks are quite simple to conduct, and the injected malicious JavaScript is not difficult to create. We expect this formjacking trend to continue and expand further to steal all kinds of data from web forms, not just payment card data. This also means that we are likely to see more software supply chain attacks. Unfortunately, formjacking is showing no signs of disappearing any time soon. Therefore, operators of online stores need to be aware of the risk and protect their online presence.
Symantec & Norton LifeLock customers are protected from formjacking attacks.
If you wish to access the report, click here.