The February 2019 Symantec Internet Threat Security Report includes a startling statistic – 4,800 websites are compromised with formjacking code each month. If you have never heard of formjacking, you are not alone. It is the new kid on the block of cyber attacks. Let’s take a closer look at formjacking and why you need to be aware of this highly lucrative attack.
What is Formjacking
According to the Symantec report, formjacking is when “cyber criminals load malicious code onto retailers’ websites to steal shoppers’ credit card details.” To be more specific, attackers find targeted web pages which include forms for transactions, such as eCommerce payments, and hack them to insert small pieces of malicious Javascript code. When a consumer provides details to complete a transaction, such as name, address and payment information, the script captures the data and sends it to the hacker, then seamlessly allows the transaction to proceed. Think of formjacking as a digital version of shoulder surfing.
Why is Formjacking on the Rise?
There are two basic reasons why formjackinng is growing in popularity
- It’s easy to use
- It’s very lucrative
With the increase in the number of sites which offer online forms, it’s easy to find insecure web pages in which to inject the Javascript code — and the code itself is not hard to write. With these recent cyber attacks, it is almost impossible to tell whether a form has been compromised unless you know what to look for in a code level review. There are none of the common visual signs we normally recognize that would flag the page as illegitimate or insecure – the page is served through HTTPS, the lock icon is displayed, the form does not have any changes to display fields or answer capture fields, and the transaction is completed as it would be without the malicious code. The change is so hidden, even the owner of the website can’t tell the difference.
There is a huge amount of money to be made with compromised payment methods. As reported by Symantec, “All it takes is 10 stolen credit cards per compromised website to result in a yield of up to $2.2M per month, as each card fetches up to $45 in underground selling forums.”
That is not a bad payday for not much work. Also, stolen personal information can be used for other nefarious money making purposes, such as virtual kidnapping attacks.
What are the Risks of Formjacking?
The risks associated with formjacking are the same as with any injection attack. They include
- Identity theft
- Identity spoofing
- Privilege escalation
- Access to unauthorized information or content
- Loss of reputation and/or business
How can you Prevent Formjacking?
There is no single easy or simple way to prevent formjacking. The best means of protection is regular auditing of the website’s code by a webmaster or developer. Because the injected Javascript code manipulates the functionality of the impacted text boxes in the web form window, a trained observer will be able to recognize that a code change has occurred. This is one of the reasons why small and medium businesses are often the targets of formjacking attacks – they often do not have the sophistication or bandwidth to provide the level of monitoring needed.
You can provide some additional protection by using Subresource Integrity (SRI) tags to authenticate content via a cryptographic hash used by the web browser to verify that received resources have not been manipulated. You can learn more about SRI tags by visiting the dedicated W3C page.
You can also use your security appliances, such as a firewall, to monitor the outbound traffic from form-based web pages. Observe whether the traffic is going somewhere unexpected. If this pattern is observed, you can focus your code reviews on the impacted pages.
Formjacking attacks can also come through form-based functionality such as online surveys and chats. If you embed these types of functionality into your web site from third party providers, be sure to complete due diligence on the vendor and the software before installation. Test all updates before releasing them to production.
Formjacking is a type of injection attack, but not the only one. Injection is the #1 risk in the OWASP Top 10 – 2017. If you look at the history of the OWASP Top 10, you will see that a few of the risks have been around since the very beginning. One of these is injection, which has held the top spot on the list since 2010.
What Can You Do?
In our Secure Coding with the OWASP Top 10 – 2017 course, we cover 9 different types of injection flaws!
Learn more about how training your developers on mitigating and avoiding injection flaws can strengthen your organization’s security.