You Need to Protect Your Website Against Formjacking Right Now

    Formjacking is a new type of attack that’s being compared to ATM skimmers, except that, with formjacking, it’s nearly impossible for users to find out that they’re being attacked until it’s too late. That’s why it’s up to IT pros to defeat this threat.

    Chances are that, if you’ve heard of formjacking at all, then you probably only have a vague idea of what it is. Perhaps you’ve heard that it’s the internet version of an ATM skimmer, or perhaps you’ve heard that it’s a way for cybercriminals to get really rich, really quick.

    IT Watch bug artFor those who’ve never heard of it, formjacking has just been highlighted in the newest Symantec Internet Security Threat Report. The report lists this latest cybercrime as one of the most serious and lucrative attacks in the history of cyber-badness. And unlike ransomware, it’s relatively simple to carry out, and it’s nearly impossible for the victims to detect. Symantec says that it’s so successful that about 4,800 websites are infected with formjacking software every month.

    What happens is that a bad actor places a small piece of code on to an e-commerce website and then waits. In a typical event, the code reads credit card information as the victim enters it, and then sends that information to the bad guy. Meanwhile, the actual e-commerce transaction goes through as if nothing has happened. The victim never knows that the credit card information has been stolen—until it shows up on a malicious website or until charges start showing up on credit card statements.

    “From a consumer standpoint, there’s nothing to see,” said Kevin Haley, Director of Product Management for Security Response at Symantec. “It’s the equivalent of a skimmer at an ATM, unless you can go through the code on a website.”

    And yes, you really can go through the code on a website. Try this: Open your favorite browser, and then with Chrome or Firefox, right-click on a page and select “View Page Source.” On Edge, click the menu dots, select “Developer tools,” and then you can view the page source with a right click. But unless you understand HTML as well as JavaScript and other programming languages, that won’t help much. If you do, then you may find instructions to read the information from a form and send it to a remote location.

    But chances are, you won’t find it even if you look. Malware developers are excellent at disguising malicious code as harmless or routine. Basically, if you visit a formjacked page and fill out the form, then you’re screwed. Your data is going somewhere besides where you think it will.

    “It’s up to the website owners to protect against this threat,” Haley said. He noted that some major e-commerce sites, including British Airways, have been caught with formjacking software on their websites, “but small and medium businesses are more likely to be affected.”

    Haley said that the reason smaller businesses are a target is that they’re less likely to have the more sophisticated protections that larger sites have. “They like the low and slow approach,” he said.

    Business - Statista - Most pressing tasks for cybersecurity professionals in 2018

    How to Protect Your Website

    “Some of these attacks are going through third-party applications such as chats and surveys,” Haley explained, saying that it’s important to have a strong relationship with the supplier of such software.

    “You should test updates before using them,” Haley advised. Then “scan your websites looking for unexpected code.”

    Haley said that it’s important for a variety of reasons that you find tools that will let you lock down your websites and alert you if there are any changes. He said that this includes the following security best practices regarding managing and protecting your websites, especially any e-commerce pages that you may be running.

    This is especially the case if your e-commerce pages touch another website for tasks such as credit card processing. You need to confirm that your website is clear of such malicious code, and you also need to make sure that any third-party websites with which your website code might be communicating are also clear.

    One means of combatting this is to use Subresource Integrity (SRI) tags. These tags allow a browser to verify that the material it receives is delivered without unexpected manipulation. It works by providing a hash that a resource much match.

    The Best Network Monitoring Services

    How to Monitor Your Outbound Traffic

    In addition to monitoring your website and looking for malicious code, you can also monitor your outbound traffic using your next-generation firewall or other security appliances. While these may not be able to determine that the traffic from the formjacking software is malicious, they can tell it’s going somewhere it’s not supposed to go.

    If you start seeing such suspicious traffic, then it’s time to investigate your website, looking for malicious code on your pages. Of course, you should also look for malicious code elsewhere on your website as well since it’s possible that some other malicious software has infected your network.

    Haley said that just because most of the attention on formjacking software is on credit card theft is no reason to think it stops there. “Anything that can be entered into a form can be stolen this way,” he said.

    The forms that can be compromised include the obvious, such as log-in credentials, but also financial forms such as loan applications, tax information, social security information, or even health information.

    Haley said that some website owners are reluctant to take measures to prevent formjacking because they’re concerned that it might disrupt revenue flow. It’s unlikely that this might happen since the security measures would be transparent to users. But one thing is certain: your revenue flow will surely be interrupted if your customers find out that you’re hosting formjacking malware and didn’t do anything about it.

    Recent Articles

    Google says China and Iran tried to hack Biden and Trump’s campaigns

    Google has announced it has identified state-sponsored hacking attempts upon both Biden and Trump's campaign staff, originating from China and Iran respectively. Fortunately, both...

    iPhone 12 launch delayed to Q4 per major Apple supplier

    The CEO of Broadcom, one of Apple’s major suppliers for hardware like iPhone Wi-Fi chips has shared today that it expects Apple’s iPhone 12...

    The Outer Worlds on Nintendo Switch proves not every game needs a port

    Please, I'm begging you. Stop with the ports. The Outer Worlds was one of the top games from 2019 and for good reason. It presented...

    Google My Business Update: Add More Hours for Specific Services via @MattGSouthern

    Google is letting businesses add more hours in their GMB listing for services that aren’t offered at all times of the day.The post Google...

    You can now get the Galaxy A51 from Verizon for free on a 2-year plan

    The Galaxy A51 is Samsung’s most successful smartphone of the year so far, to the point where you might be owning one already. But...

    Latest Stories

    Leave A Reply

    Please enter your comment!
    Please enter your name here

    Stay on op - Ge the daily news in your inbox

    Do NOT follow this link or you will be banned from the site!
    Translate »