How to Protect Your Business Website from Formjacking

As individuals become more savvy about avoiding phishing emails, and enterprises get better at filtering them out before they ever reach employees’ inboxes, it’s become more difficult for hackers to infect enterprise systems with ransomware and cryptojacking malware. Companies are also becoming more diligent about backing up their systems, and cryptocurrency prices have fallen, meaning that the potential profits from ransomware and cryptominers have likewise diminished.

So what’s a hacker to do if they want to make a fast, illicit buck? The answer is formjacking, a cyber attack that dramatically increased in popularity in 2018 and is now hitting an estimated 4,800 websites a month.

What is formjacking?

Formjacking is sometimes described as the online version of ATM card skimming — another hacking method that is becoming less fruitful as more brick-and-mortar retailers implement EMV chip technology. In a typical formjacking scheme, hackers breach an ecommerce site and insert malicious JavaScript code into the form where shoppers enter their payment information. When the customer hits “submit,” the information is transmitted to the hackers, who can then sell the credit card data or use it themselves.

Formjacking is very difficult to detect because it’s invisible to both the customer and the retailer. The customer sees the transaction being processed normally, and the retailer still receives the order information and payment. The malicious code tends to be very short, and hackers disguise it to appear innocuous or routine. There is no indication that anything unusual has happened until days, weeks, sometimes even months later, when the retailer discovers the code or customers see unusual charges appearing on their credit card statements.

Most formjacking malware is developed by Magecart, the name given to a hacking ring composed of loosely affiliated groups that specialize in stealing credit card data. In addition to orchestrating their own attacks, Magecart groups also offer formjacking malware-as-a-service to other cybercriminals.

Small- and medium-sized retailers are the most frequent victims of formjacking, likely because their cyber defenses tend to be less robust than large ecommerce sites. However, because formjacking malware often gets onto sites by compromising third-party services, such as payment processing and chatbot applications, very large companies are not immune. British Airways and Ticketmaster number among the high-profile victims of Magecart formjacking attacks.

While formjacking is usually deployed to steal payment card data from ecommerce sites, it can be used to compromise any type of online form. This means that formjacking could also be used to steal other sensitive data, including login credentials, Social Security Numbers, or even confidential business information, such as contact information for sales prospects who have signed up for a company’s mailing list.

Protecting your website against formjacking

Implement Subresource Integrity (SRI) tags. SRI tags use cryptographic hashes to ensure that the files that web applications and web documents fetch do not contain unexpected content that could indicate they’ve been manipulated by a malicious third party, such as additional code.

Monitor your site’s outbound traffic. If you see form data being transmitted to an unusual or unknown resource, your site could be under attack from formjacking or other malware.

Secure your supply chain. Hackers frequently insert formjacking malware onto sites by compromising third-party application developers, especially payment processors but also chatbots, quizzes, and other common web applications. Talk with a cybersecurity expert about solutions to test software updates and scan your website for unexpected code changes.