Formjacking

What is Formjacking?

Formjacking is the software equivalent of credit card skimming. It is a portmanteau combining “form” with part of “hi-jacking.” It steals credit card details from online forms, usually on e-commerce sites. Affected websites still operate as normal, making it difficult to detect. What is formjacking? It is the invisible thief.

Credit card skimming is the theft of credit card details from physical machines such as ATMs. The threat actors introduce a piece of physical hardware either inside the ATM or over an external element of it.

The illegal device takes a copy of the data from the strip on each card used in the ATM. This includes:

• The credit card number
• The expiration date
• The cardholder’s full name

It is also common to install a pinhole camera and point it at the keypad. The camera captures the 4-digit Personal Identification Number (PIN).

Instead of targeting physical devices, formjacking targets forms on e-commerce websites. From the threat actor’s point of view, these forms are a perfect target. They gather personal information about the user and their credit card details.

This provides cyber criminals with everything they need to perform Cardholder Not Present (CNP) credit card fraud. The threat actors seldom abuse the credit card themselves. Instead, they sell all the harvested card details on the Dark Web.

Instead of physically inserting a piece of hardware into a device, the threat actors “inject” some malicious JavaScript code into a web page. The malicious code collects the victim’s credit card number and other personal information and sends the bundle of data to the threat actors.

Importantly, the same information is allowed to pass through to the rest of the website. The victim’s transaction is completed as if nothing untoward happened. As far as the merchant and the customer are concerned, everything worked exactly as expected. The order is placed, the goods are shipped, and no suspicions are raised.

With the introduction of contactless payment cards, physical card skimming became much more difficult. Ironically, that increase in security for physical uses of a payment card helped drive the switch to – and the rapid uptake of – formjacking.

Formjacking is so prevalent now that there are specialist cybercriminal collectives exclusively targeting e-commerce sites.

Techopedia Explains the Formjacking Meaning

A cyberattack where hackers inject malicious code into online forms on legitimate websites to steal users’ sensitive information.

The formjacking definition is a cyberattack where malicious JavaScript code is injected into the online forms of legitimate websites to steal users’ sensitive information. This can include payment details, personal identification numbers, and other private data. The stolen information is secretly transmitted to the attacker’s server as users submit their forms.

Unlike other cyber threats like phishing or ransomware, formjacking targets legitimate websites, making them harder to detect. It silently captures data without disrupting user access, allowing continuous and unnoticed data theft, which sets it apart from more immediate threats like viruses.

So what’s the meaning of formjacking? It means you always need to stay on your toes when entering details online.

How Does Formjacking Work?

Different techniques are used, but they all lead to the same end result: the exfiltration of personal information and credit card details.

1. Embedding JavaScript Into the Code of a Website

The first technique is to embed JavaScript into a website’s code. This changes the page’s functionality. The added code takes a copy of the sensitive data and sends it to the threat actors. The code is often obfuscated or encoded so that it can’t be directly read by a human without decoding it.

All e-commerce websites must interact with their payment card transaction processing partner. It might be a bank, a credit card company, or an accredited payment partner that sits between merchants and the credit card companies.

The payment partner will supply some form of payment gateway software that has to be included in the website’s architecture. Any words or variable names in the malicious JavaScript that by necessity are left in plain text are often given names that suggest the code is related to Google Analytics, to the payment gateway software, or to cookies.

The domains to which the data is sent often use names that can be misread if they are not carefully examined. Slight misspellings and substitutions, such as using an “i” instead of an “l,” can trick the reader into thinking the domain name is safe.

Here are some real-world examples that have been used in the past:

• google-analyitics.org
• google-analytics.cm
• googietagmanagar.com
• googlc-analytics.cm
• api-googles.com
• tracker-visitors.com

2. Loading a “Downloader” Script Into the Web Page

Another strategy is to load only a tiny “downloader” script into the web page. This small stub of code has only one job. When activated, it downloads the actual formjacking script from a remote hosting location. Threat actors have even used GitHub as the remote location for their malign scripts.

This downloading technique has the advantage that the threat actors can change the code in the malign JavaScript once, and all infected websites will automatically use the updated script the next time they download it.

If the JavaScript is coming from a server maintained by the threat actors, they can examine the meta-data in the request. They can check the IP address, the user-agent, and the referrer and decide whether to send back a malicious script, a clean script, or even nothing at all.

If they suspect the request has come from a security researcher trying to diagnose the attack, the threat actors will vary the responses sent back. This will prevent basic automation tools from analyzing the malicious script.

There have been cases where a deny list on the threat actor’s server contained IP addresses owned by cybersecurity companies. The download of JavaScript to these IP addresses was blocked.

3. Redirecting the User to a Deceptive Website

Another – albeit little-used – technique is to redirect the user to a look-alike website hosted on a server under the control of the threat actors and to return them to the real website once the data entry portion of the purchase has been completed.

Whichever method is used, the code is hooked into some user action, such as a button click on the web page.

Code is added to the website that adds to or replaces the genuine code that is activated when:

• A form is submitted when the “Buy”, “Submit”, or similar button is clicked.
• The “Enter” key is pressed, which can indicate a form submission.
• Mouse button activity is detected.
• A page load event is triggered to confirm an order has been placed.

Less commonly, the JavaScript can be timer-based. Every half a second or so, it will “scrape” a copy of the data out of the form and harvest it.

What is Magecart?

Magecart refers to a coalition of multiple cybercriminal groups that specialize in digital credit card theft by using formjacking techniques. These groups inject malicious JavaScript code into the payment forms of e-commerce websites to siphon credit card data during transactions.

They exploit vulnerabilities across various web platforms, including third-party components integrated into multiple e-commerce sites. This method allows them to perform wide-reaching attacks that can simultaneously affect multiple websites, increasing their potential to steal massive amounts of data.

Magecart attacks have successfully breached both major retailers and smaller online stores, showing off their capability to adapt and refine their strategies in response to evolving security measures. This adaptability and their persistent threat to online commerce really show the need for more robust and constant cybersecurity defenses tailored against such specialized forms of hacking.

How Do Websites Become Infected?

Any modern, non-trivial website uses many third-party modules and code to deliver the user the experience and functionality that they have come to expect from professional websites.

Formjackers exploit the same sort of vulnerabilities other cybercriminals look for.

How to Detect Formjacking

Formjacking has no visible signs that something is wrong, so the website visitor cannot tell if anything is amiss. The merchant sees purchases coming through at the expected run rate.

If everything seems to be working, the assumption is everything’s OK. What is required is something that can scan and analyze the website to verify everything is OK.

File Integrity Monitoring

File Integrity Monitoring (FIM) is a software tool that scans a target set of files and folders and creates a record of their size, modification times, and other characteristics. This is recorded as the baseline.

If future scans detect any changes to the monitored files, an alert is raised. This works well for static sites, but sites that have dynamic content, such as shopping carts that change as a function of their normal operation, may confuse FIM systems.

The website’s architecture dictates where the dynamic changes take place. If they are purely in a back-end database, FIM will capture changes to web pages. But if some of the web pages are generated in real time, they cannot be baselined, and so an FIM system will not help.

Furthermore, an FIM system cannot detect threats that are embedded in third-party modules because the module will be base-lined with the threat already inside it.

So, for dynamic sites, FIM systems must be supplemented by a communications baseline and connection monitoring. This is effectively a set of allow lists and deny lists that accept or block communications from the website.

Normal web traffic is allowed. Outward connections that aren’t serving up web pages are compared to an allowed list that contains the details of valid outbound connections that will be made by the website – including the third-party modules.

For example, connections from the payment gateway modules are characterized and listed in the allow list. Only connection attempts to the certified remote IP addresses and ports in the allow list are permitted.

Once all valid operational connections to and from the website have been identified, characterized, and added to the allowed lists, the exfiltration of data by transmission becomes impossible.

Redirecting web pages is also blocked, and many of the incoming infection routes are blocked off automatically.

Other Formjacking Threats

Formjacking currently focuses on the theft of payment card data. However, it can, of course, be used to capture any type of data entered into an online form.

This could include online banking, healthcare information, and any type of login credentials. It may also be used to alter the data that is sent through to the genuine website.

For example, in electronic voting systems, the formjacking software could amend a certain percentage of the votes to sway the outcome.

Formjacking is a type of cybercrime that has a particularly insidious potential.

How to Prevent Formjacking

Preventing formjacking involves a combination of proactive security measures and best practices that both developers and website administrators can implement to safeguard their websites.

Here are key recommendations to help protect against this type of cyberattack:

By integrating these strategies into your website management and development processes, you can reduce the risk of being victim to formjacking attacks and ensure the security of your users’ sensitive information.

Formjacking Examples

Below are some notable real-world examples of formjacking incidents, highlighting the consequences and the lessons learned from each event.

The Bottom Line

Understanding and preventing formjacking is important for the security of both individuals and businesses involved in online transactions. This type of cyberattack, which involves the theft of sensitive information through compromised web forms, poses a serious risk to personal and financial data.

By recognizing the methods used by attackers, such as injecting malicious code into legitimate websites, organizations can better defend against these insidious threats.

Preventive measures, including regular security audits, the use of Content Security Policies, and educating employees about cybersecurity risks, are necessary. These steps help safeguard data and maintain the trust of users who engage with online services.

The threat of formjacking will most definitely continue and evolve as e-commerce and online financial transactions continue to grow. Cybersecurity strategies will need to be constantly updated to keep pace with the sophisticated techniques developed by attackers.

FAQs