What is formjacking and how to prevent it

Formjacking happens when cybercriminals hijack your web forms. Typical targets are payment forms and shopping carts. Cybercriminals can inject malicious scripts into vulnerable JavaScript code in your forms to alter their behavior. The malicious JavaScript loads into the consumer’s web browser, collects the form data and transmits it to the criminal’s command and control (C and C) server, even as the form data continues to flow to your systems. This allows the cybercriminal to capture information whenever your users submit a form.

Formjacking is a type of man-in-the-middle (MITM) attack, one in which cybercriminals intercept communications between two parties without their knowledge or consent. In the case of formjacking, the cybercriminal simply retrieves a copy of the form data even while the transmission passes through unaltered. Formjacking is the digital equivalent of someone tapping your phone. It is stealthy and inconspicuous because it happens on the client side, outside of the purview of systems such as code scanners and web application firewalls (WAFs). Thus, it is not uncommon for these attacks to remain undetected for long periods of time.

Cybercriminals generally direct formjacking attacks at the most popular third-party web forms and web form plug-ins used by many e-commerce sites. Because of this, 4,800 sites fall victim to formjacking each month. Formjacking can be a goldmine of credit card numbers, expiration dates and security codes, paired with the cardholder’s name, email and address, which cybercriminals can use to make fraudulent purchases and retrieve credentials.

Attackers can exploit the data gleaned from formjacking attacks in many ways. Most commonly, they simply sell the stolen credentials and payment data on the dark web. Then, other cybercriminals can use the stolen usernames and passwords in credential stuffing, carding and account takeover (ATO) attacks.

Cybercriminals can make fraudulent purchases using stolen payment information, often by buying gift cards and then using them to buy popular items for resale online. The process launders the electronic currency, making it untraceable.

Using stolen personally identifiable information (PII), fraudsters can get loans, create fake accounts and open lines of credit under someone else’s identity. In addition, compromised accounts can be used to distribute malware. This enables the theft of more personal information for use in credential stuffing and ATO attacks — thus starting the digital attack lifecycle all over again.

Data breaches can severely damage consumer trust and brand reputation, both for your users whose data was stolen and others who may hear of the breach in the press or social media. At best, users become angry that their PII was revealed, and are forced to reset passwords and update stored credit card numbers. At worst, they could suffer identity theft and fraud as a result of a data breach on your site. This could result in lawsuits, regulatory fines, restoration payments and buying’ credit monitoring services for affected users. Either way, loss of consumer trust can lead to lost revenue and stock value for years to come.

Regulators levy fines and penalties on organizations that experience formjacking attacks that steal consumers’ personal and payment data. British Airways was fined £183 million (later reduced to £29 million) after an attack retrieved personal and financial data from 420,000 customers and employees, violating the General Data Protection Regulation (GDPR). The U.S has enacted similar privacy laws, such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) — and online businesses stand to face hefty fines if they do not comply.

Up to 70% of the code on a typical site is sourced from open source libraries and third-party partners, many of which call on yet other third-party code. This allows developers to quickly bring capabilities to market, improves site performance and enables marketing and e-commerce teams to track and analyze web traffic. But even though third-party code is developed externally, your business is liable for its behavior on your site.  Your reputation and revenue are on the line if your users’ data is exposed due to code vulnerabilities.

Formjacking can be difficult to detect with traditional security measures. This is because tools like scanners, web application firewalls (WAFs) and intelligent next-generation firewalls have no visibility into how code, including client-side JavaScript, is behaving on your users’ browsers. A vulnerability can remain in your code for quite some time because developers don’t have the visibility they need to fix it.

Malicious scripts are frequently designed to load dynamically and evade detection by external scanners. They may purposefully target a small percentage of users, only load in a real client-side environment or remove themselves from memory when they detect code analysis taking place. This makes it unlikely that malicious code will be running during any particular moment-in-time scan. Furthermore, third-party scripts are constantly changing and could be compromised at any point between scans or when they load downstream.

In many cases, your third-party code refers to other third-party code, creating a long supply chain of 4th-, 5th- and nth-party vendors — i.e., your vendors’ vendors. A security vulnerability may occur in the nth spot in the chain, but if it leads to a formjacking attack on your site, you are liable for the resulting damage.

Getting full visibility into your code is the key to stopping formjacking. The first step is knowing and vetting third-party vendors whose code is used on your site. Pay special attention to any resource that supports your web forms and underlying software. Work selectively with vendors to ensure that all web forms and JavaScript come from sources you know and trust. If you are unsure of all your vendors’ third parties, start with an inventory of your forms and any unique software components that support them. You might be able to track down some nth-party developers using this information.

Ask your vendors for regular software updates for your web forms, especially any available updates for JavaScript. Use sandbox testing to ensure that any updates don’t present new vulnerabilities before trusting and installing them on your site. You can test your site and forms for vulnerabilities with external code scans, using readily available scanning tools and service providers. Penetration testers scan your software once or twice a year as you determine, and bug bounty services can test your web forms around the clock.

These methods can help you detect malicious code, so you can quickly mitigate vulnerabilities with patches or implement a temporary workaround on your site. However, the best way to prevent formjacking is to enable automatic monitoring of all client-side JavaScript behavior on your website, so you can catch malicious code activity in action. Inventorying your website and network forms for anomalous behavior allows you to see client-side JavaScript at work.

HUMAN Client-Side Defense is a client-side application security solution that protects your website by continuously monitoring all client-side JavaScript. The solution baselines the behavior of the first- and third-party scripts that are loaded on your users’ browsers and detects anomalous activity that leaves your website open to formjacking, such as changes in behavior, communication with new network domains or modifications to the DOM.

Client-Side Defense delivers robust insights into JavaScript activity, so you can analyze all first-, third- and nth-party scripts running on your website. The solution integrates with your web servers and content delivery networks (CDNs) to enforce your content security policy (CSP) rules and block malicious Javascript.

Supply chain attacks | What they are & how to prevent them

What is digital skimming and how does it work?

What is magecart? | Attack types & prevention

What is personally identifiable information (PII) harvesting?

What is PCI DSS compliance? | Requirements & how to comply