This article originally appeared in CPO Magazine on March 1, 2019.
According to a new report from security research firm Symantec, cyber criminals and other hacker syndicates are carrying out “formjacking” attacks at an increasing rate. Thousands of e-commerce sites from around the world have been targeted, including those belonging to Ticketmaster and British Airways. In its report, Symantec says that it blocks an average of 6,368 formjacking attempts daily, making this one of the fastest growing forms of cyber attacks on the Internet right now. At the end of 2018, there was a major uptick in formjacking attempts.
Formjacking as a new attack vector for hackers
These formjacking attacks are used to steal credit card details and customer data by injecting snippets of malicious JavaScript code into the payment section of an e-commerce website. When users try to complete a purchase on those sites, the data is captured by the code and then sent to servers belonging to the hackers. Once the data has been “skimmed” from an e-commerce site, it can be re-sold on the Dark Web for a profit, or simply used to carry out identity theft or other forms of cyber fraud. Most formjacking attacks will capture all information – including details about the payment card being used for the transaction, the address of the user and even the username of the purchaser – needed to make similar types of purchase around the Web.
Even more disturbingly, says Symantec, these formjacking attacks using JavaScript code to steal data are specifically designed to take place behind the scenes, without either the e-commerce site operator or consumer knowing that user data has just been captured. In other words, if you buying a ticket for an event on Ticketmaster, you would never know that your credit card information had just been skimmed by a formjacking script, and that all information requested at time of checkout had been “skimmed” by unscrupulous hackers.
Results of the Symantec report on formjacking
The size and extent of the formjacking problem is also worth noting. Over a three-month period at the end of 2018, Symantec was tracking more than 1 million formjacking attempts on over 10,000 websites. The problem was first noticed around August 13 last year. In the period from mid-August to October 1, Symantec tracked over 248,000 attempts at formjacking, and nearly one-third of those attacks occurred within a very narrow window of time – from September 13 to 20. This was the equivalent of a formjacking campaign, as thousands of sites were hit at the same time.
Hackers tend to favor online shopping websites that generate a lot of traffic and that also use a lot of code plug-ins or software from outside third-party vendors. This gives them the best chance to insert code to steal credit card data. For example, when carrying out forensics on the Ticketmaster website, Symantec tracked the malicious JavaScript code problem down to a live customer service chat bot created by at third party. Within the hacker world, the “weak link” in any website is generally viewed as the code provided by these third parties. Sometimes, little or no testing is done on this code before it goes live, and that is why so many vulnerabilities exist when users send information from payment forms.