What is Formjacking?
Formjacking is a type of man-in-the-middle (MITM) attack, one in which cybercriminals intercept communications between two parties without their knowledge or consent. In the case of formjacking, the cybercriminal simply retrieves a copy of the form data even while the transmission passes through unaltered. Formjacking is the digital equivalent of someone tapping your phone. It is stealthy and inconspicuous because it happens on the client side, outside of the purview of systems such as code scanners and web application firewalls (WAFs). Thus, it is not uncommon for these attacks to remain undetected for long periods of time.
Cybercriminals generally direct formjacking attacks at the most popular third-party web forms and web form plug-ins used by many e-commerce sites. Because of this, 4,800 sites fall victim to formjacking each month. Formjacking can be a goldmine of credit card numbers, expiration dates and security codes, paired with the cardholder’s name, email and address, which cybercriminals can use to make fraudulent purchases and retrieve credentials.
How Can Attackers Use Stolen Form Data?
Attackers can exploit the data gleaned from formjacking attacks in many ways. Most commonly, they simply sell the stolen credentials and payment data on the dark web. Then, other cybercriminals can use the stolen usernames and passwords in credential stuffing, carding and account takeover (ATO) attacks.
Cybercriminals can make fraudulent purchases using stolen payment information, often by buying gift cards and then using them to buy popular items for resale online. The process launders the electronic currency, making it untraceable.
Using stolen personally identifiable information (PII), fraudsters can get loans, create fake accounts and open lines of credit under someone else’s identity. In addition, compromised accounts can be used to distribute malware. This enables the theft of more personal information for use in credential stuffing and ATO attacks — thus starting the digital attack lifecycle all over again.
How Do Formjacking Attacks Affect Your Business?
Data breaches can severely damage consumer trust and brand reputation, both for your users whose data was stolen and others who may hear of the breach in the press or social media. At best, users become angry that their PII was revealed, and are forced to reset passwords and update stored credit card numbers. At worst, they could suffer identity theft and fraud as a result of a data breach on your site. This could result in lawsuits, regulatory fines, restoration payments and buying’ credit monitoring services for affected users. Either way, loss of consumer trust can lead to lost revenue and stock value for years to come.
Regulators levy fines and penalties on organizations that experience formjacking attacks that steal consumers’ personal and payment data. British Airways was fined £183 million (later reduced to £29 million) after an attack retrieved personal and financial data from 420,000 customers and employees, violating the General Data Protection Regulation (GDPR). The U.S has enacted similar privacy laws, such as the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) — and online businesses stand to face hefty fines if they do not comply.
Up to 70% of the code on a typical site is sourced from open source libraries and third-party partners, many of which call on yet other third-party code. This allows developers to quickly bring capabilities to market, improves site performance and enables marketing and e-commerce teams to track and analyze web traffic. But even though third-party code is developed externally, your business is liable for its behavior on your site. Your reputation and revenue are on the line if your users’ data is exposed due to code vulnerabilities.
Challenges in Detecting Malicious Code
Malicious scripts are frequently designed to load dynamically and evade detection by external scanners. They may purposefully target a small percentage of users, only load in a real client-side environment or remove themselves from memory when they detect code analysis taking place. This makes it unlikely that malicious code will be running during any particular moment-in-time scan. Furthermore, third-party scripts are constantly changing and could be compromised at any point between scans or when they load downstream.
In many cases, your third-party code refers to other third-party code, creating a long supply chain of 4th-, 5th- and nth-party vendors — i.e., your vendors’ vendors. A security vulnerability may occur in the nth spot in the chain, but if it leads to a formjacking attack on your site, you are liable for the resulting damage.
How to Prevent Formjacking
How Does HUMAN Stop Formjacking?