Formjacking involves using malicious JavaScript code to steal personal and financial information from website forms. Cybercriminals attack the form page itself, then each time someone fills out a form, a duplicate of the entered information is sent to the attacker.
Formjacking can be thought of as new-age card-skimming. You’ve probably heard about the scenario in which a small device — known as a skimmer — is added by criminals to card readers at a point of sale. This device can read and store information from the card’s magnetic strip. Heavily targeted card readers include those at ATMs and gas pumps. These are easily accessible compared to, for example, a card reader located alongside an in-store cash register. Formjacking follows a similar concept to card skimming but has been adapted to the online world. This makes the practice more far-reaching than skimming and easily accessible to cybercriminals across the globe. Formjacking is relatively simple to execute, another likely reason it’s becoming increasingly attractive to data thieves. An attack begins when they insert JavaScript code into the target website. Note that it usually takes the form of a supply chain attack and targets code provided by a third party, not the website itself.
Once the malicious code is in place, when the user enters their information and sends the form to the website, all details are also sent to the attacker. The user hits “Submit” or the equivalent, the transaction goes through as normal so there’s no sign that anything is awry. This is why it’s difficult for either the user or the website owner to detect form jacking until it’s too late.
Examples of form jacking
Sixth June: In October 2019, it was discovered that the checkout page of this fashion retailer’s website had been formjacked. It’s unclear how many customers were affected but it was believed to have been in the thousands.
Ticketmaster: Between September 2017 and June 2018, up to 40,000 Ticketmaster customers fell victim to a form jacking attack. The fault was laid on Inbenta, a chat support tool that had created code for Ticketmaster’s site. The attack was only discovered when an online banking platform, Monzo, discovered that some of its customers’ cards had been compromised.
British Airways: In September 2018, British Airways apologized after 380,000 customers had their card details stolen in a form jacking attack. The attack took place over two weeks and the thieves stole all the information they needed to make an online purchase with the credit card details, including names, addresses, card numbers, expiry dates, and security codes.
Newegg: Online retailer Newegg was the subject of a month-long form jacking attack in August and September 2018. The attack appeared to be almost identical to the British Airways and Ticketmaster cases.
Prevent from jacking
Many of us complete online transactions on a daily basis without a second thought, assuming the websites we’re using are secure and have our backs when it comes to protecting our information. Thankfully, there are a couple of ways we can have a bit more control over the security of our payment information.
One is to consider using a masked credit card. These cards, offered by certain financial institutions, provide you with a set of card details for one-time use, either online or in a store. Once the details have been used, they are no longer valid for future purchases. Masked credit cards are often misleadingly referred to as “fake” credit cards, but they are legitimate forms of payment.
Another option is to look into payment methods that use tokenization. This is another way to add an extra layer of security to credit card payments and is used by systems like Apple Pay and Google Pay. The concept is similar to a masked credit card and a “token” is used to replace the real credit card number.
.jpg)
