Formjacking is a new type of attack that’s being compared to ATM skimmers, except that, with formjacking, it’s nearly impossible for users to find out that they’re being attacked until it’s too late. That’s why it’s up to IT pros to defeat this threat.
Chances are that, if you’ve heard of formjacking at all, then you probably only have a vague idea of what it is. Perhaps you’ve heard that it’s the internet version of an ATM skimmer, or perhaps you’ve heard that it’s a way for cybercriminals to get really rich, really quick.
For those who’ve never heard of it, formjacking has just been highlighted in the newest Symantec Internet Security Threat Report. The report lists this latest cybercrime as one of the most serious and lucrative attacks in the history of cyber-badness. And unlike ransomware, it’s relatively simple to carry out, and it’s nearly impossible for the victims to detect. Symantec says that it’s so successful that about 4,800 websites are infected with formjacking software every month.
What happens is that a bad actor places a small piece of code on to an e-commerce website and then waits. In a typical event, the code reads credit card information as the victim enters it, and then sends that information to the bad guy. Meanwhile, the actual e-commerce transaction goes through as if nothing has happened. The victim never knows that the credit card information has been stolen—until it shows up on a malicious website or until charges start showing up on credit card statements.
“From a consumer standpoint, there’s nothing to see,” said Kevin Haley, Director of Product Management for Security Response at Symantec. “It’s the equivalent of a skimmer at an ATM, unless you can go through the code on a website.”
But chances are, you won’t find it even if you look. Malware developers are excellent at disguising malicious code as harmless or routine. Basically, if you visit a formjacked page and fill out the form, then you’re screwed. Your data is going somewhere besides where you think it will.
“It’s up to the website owners to protect against this threat,” Haley said. He noted that some major e-commerce sites, including British Airways, have been caught with formjacking software on their websites, “but small and medium businesses are more likely to be affected.”
Haley said that the reason smaller businesses are a target is that they’re less likely to have the more sophisticated protections that larger sites have. “They like the low and slow approach,” he said.
How to Protect Your Website
“Some of these attacks are going through third-party applications such as chats and surveys,” Haley explained, saying that it’s important to have a strong relationship with the supplier of such software.
“You should test updates before using them,” Haley advised. Then “scan your websites looking for unexpected code.”
Haley said that it’s important for a variety of reasons that you find tools that will let you lock down your websites and alert you if there are any changes. He said that this includes the following security best practices regarding managing and protecting your websites, especially any e-commerce pages that you may be running.
This is especially the case if your e-commerce pages touch another website for tasks such as credit card processing. You need to confirm that your website is clear of such malicious code, and you also need to make sure that any third-party websites with which your website code might be communicating are also clear.
One means of combatting this is to use Subresource Integrity (SRI) tags. These tags allow a browser to verify that the material it receives is delivered without unexpected manipulation. It works by providing a hash that a resource much match.
How to Monitor Your Outbound Traffic
In addition to monitoring your website and looking for malicious code, you can also monitor your outbound traffic using your next-generation firewall or other security appliances. While these may not be able to determine that the traffic from the formjacking software is malicious, they can tell it’s going somewhere it’s not supposed to go.
If you start seeing such suspicious traffic, then it’s time to investigate your website, looking for malicious code on your pages. Of course, you should also look for malicious code elsewhere on your website as well since it’s possible that some other malicious software has infected your network.
Haley said that just because most of the attention on formjacking software is on credit card theft is no reason to think it stops there. “Anything that can be entered into a form can be stolen this way,” he said.
The forms that can be compromised include the obvious, such as log-in credentials, but also financial forms such as loan applications, tax information, social security information, or even health information.
Haley said that some website owners are reluctant to take measures to prevent formjacking because they’re concerned that it might disrupt revenue flow. It’s unlikely that this might happen since the security measures would be transparent to users. But one thing is certain: your revenue flow will surely be interrupted if your customers find out that you’re hosting formjacking malware and didn’t do anything about it.