Formjacking Attacks Skyrocketing in 2019
Updated: November 13, 2020The trend of formjacking attacks keeps on rising, and it is a bigger threat than other types of cyberattacks.
Online shopping has moved spending money in brick and mortar organizations to purchasing everything using digital means. This not only created an opportunity for big companies such as Amazon to keep on growing their clients' list and for many small vendors to build e-commerce sites, but it also created an opportunity for theft and trade of credit card information.
Formjacking attacks give cybercriminals the opportunity of stealing credit card information from customers while they shop on the websites they trust. There's no hacking into bank accounts or phishing involved, which makes the process more efficient and effective. Not to mention, the attackers are able to make a lot of money pretty quickly, their attacks are hard to detect, small companies are easy targets, and there are not many repercussions for this illicit behavior to this day.
We hope this post will give you a better understanding of what formjacking attacks are and how important it is for both businesses and customers to be aware of the threat.
What is formjacking?
Formjacking is a type of cyberattack criminals use to steal victims' credit card information without needing to commit banking fraud, which makes it an easier and more efficient way for cybercriminals to deploy their attacks and make money quicker. The users' information is stolen directly from e-commerce sites forms, so cybercriminals don't have to access you banking account.
How does formjacking work?
When you go shopping on an e-commerce site, you fill in a form with your personal data and credit card information so you proceed with the payment. Cybrcriminals inject malicious JavaScript code into the script of the website so, when you hit submit on that form, a copy of the form containing your personal details will be sent to the attacker. The attacker receives your name, credit card details, and all the other sensitive information you were required to fill in.
The process is somewhat similar to how attackers used to steal credit card information by installing malicious code into ATMs or credit card readers.
The worst part? You'll not even be aware this happened. You'll only find out you've been the victim of a formjacking attack when you'll come across your personal data on the web, o start to notice unusual payments on your credit card statements.
How popular is formjacking?
Formjacking might not seem like much. After all, e-commerce sites have security measures in place to protect their users' data, don't they?
Well, trustworthy e-commerce websites do indeed their best to secure users' payment info, but it doesn't mean we should take the skills of cyber criminals lightly. Technology is ever-evolving, and so is the craft of hacking. For every new security measure websites implement, there're cyber criminals working on new ways to bypass that wall. This means that even big companies have the potential of becoming the target of a formjacking attack.
According to Symantec Internet Security Threat Report 2019, formjacking attacks were in the spotlight of the cybercrimes scene in 2018. Data shows that 4.800 unique websites have been compromised by formjacking malicious codes each month in 2018, Symantec blocking over 3.7 million formjacking attempts, over 1 million of those attempts taking place in the last two months of the year. May 2018 has seen a spike in formjaking attempts (over 500.000 that month) and the trend kept on rising from then on.
As expected, formjacking attacks increase in number over the shopping seasons, when the traffic to the e-commerce websites is at its peak.
The most popular formjacking attacks on big companies were the ones that targeted British Airways, TicketMaster UK, Target, Home Depot, Newegg, Kitronik, and VisionDirect.
The attack on British Airways was announced on September 6th and it seems that it lasted for 15 days. Over this period of time, the attackers managed to steal private information from around 380.000 customers with only 22 lines of malicious script. The stolen information included personal and payment information, and both the website and the mobile app were compromised.
Even though big organizations have been targeted, small and medium companies are more likely to become targets of formjacking attacks as they usually invest less in security solutions and are easier to compromise.
To better highlight the risk of formjacking attacks, here's a quote from Greg Clark, CEO of Symantec:
"Formjacking represents a serious threat for both businesses and consumers. Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft."
Looking at this information, it's fair to assume that formjacking attacks won't go away soon. On the contrary, it's expected to see more and more such types of cyberattacks because of more reasons. Firstly, the attackers are able to make lots of money by stealing credit card credentials. Secondly, attacking companies that don't have a thick security layer to prevent cyber attacks is an easy task for hackers. And last but not least, those who deploy such kinds of attacks haven't seen many repercussions of their actions so they have no reason to give up illicit behavior.
Magecart - The groups behind formjacking attacks
The name of Magecart seems to appear more and more often on the scene of cybersecurity. Even though sometimes Magecart is used to refer to a specific group of attackers, in reality, there are more groups
Magecart appeared back in 2015 as a group that used to inject skimmers on e-commerce websites. Another group appeared in 2016 that had the same objectives but used a different strategy from the original group. New groups are forming to this day, each of them acting differently. Some focus on targeting as many e-commerce websites as possible while some focus on only a couple of high profile ones. Some center their attention on creating skimmers that are harder to detect while some concentrate on creating tailored ones.
The report from RiskIQ shows the following Megecart groups:
- Group 1 & 2 - First seen in 2015, this group target a wide range of websites and use automated tools to deploy the attack. They use a complex reshipping scheme to monetize stolen data, by finding people in the US to receive item purchased with stolen credit card data and reship them in Europe to the group.
- Group 3 - First seen in 2016, they target high volumes of websites, without targeting high-end ones. Their skimmer opperates differently and they have a different infrastructure compared to the first two groups.
- Group 4 - First seen in 2017, they are one of the most advanced, even using fingerprinting to ind users that might be analyzing their skimmer.
- Group 5 - First seen in 201, they target third-party suppliers instead of individual e-commerce stores to get as much data as possible but they also target specific victims if the result is worth it. They have been behind the TicketMaster UK breach.
- Group 6 - First seen in 2018, they had the biggest impact in the formjacking world. They target specific, high profile companies such as British Airways and Newegg.
What happens to your stolen data?
Well, there is an entire market when it comes to these kinds of illicit activities. On one hand, there are devlopers that create software designed to steal customers' credit card data and most of them don't take part in the actual theft, they only sell the software to cyber criminals on the black market. On the other hand, there are those cybercriminals that actually steal peoples' data by using the software or, even so, by buying access to an already compromised e-commerce website. The prices on the black market vary based on the value of the data and the traffic of the e-commerce website.
But what cybercriminals do with the data they steal?
On the black market, there are illicit stores set up in place designed for those selling and buying stolen credit card data. Those who buy credit card data use the card to make purchases. The cybercriminals groups might also find people up to buying products with the cards and ship them to the group so they can further sell them in their own country.
According to Symantec research, data from a single credit card might be sold for up to $45. Cybercriminals can raise up to $2.2 million each month with just 10 stolen credit cards through formjacking websites.
How can you protect yourself against formjacking attacks?
Unfortunatelly, there is no guaranteed solution to protect yourself against formjacking attacks. But there are a couple of security measures to keep in mind.
- Firstly, try to limit your purchases to big stores that you know they have a great security system set into place. Small e-comerce webistes are most likely to fall victim to formjacking.
- Secondly, check with your bank to see if you can set up a second layer of defense to your credit card. For example, Visa and Mastercard offer the 3D Secure protocol. This means that even if your credit card details get stolen, no one can use them without providing the security code you receive as a text message to authenticate the transaction.
- Thirdly, if you think your credit card data might've been stolen, ask your bank for a new credit card.
- And lastly, keep your eyes peel for unusual transactions on your credit card statement!
With all this information about formjacking at hand, it's fair to assume that these types of cyberattacks are not likely to go away any time soon.
Stay safe and aware! Cybercriminals are always skimming for users' data and everyone can become a victim of theft.