What is Formjacking? How It Works & How to Detect It

What is Formjacking?

Formjacking is the software equivalent of credit card skimming. It is a portmanteau combining “form” with part of “hi-jacking.”

Techopedia Explains

Instead of targeting physical devices, formjacking targets forms on e-commerce websites. From the threat actor’s point of view, these forms are a perfect target. They gather personal information about the user and their credit card details.

This provides cyber criminals with everything they need to perform Cardholder Not Present (CNP) credit card fraud. The threat actors seldom abuse the credit card themselves. Instead, they sell all the harvested card details on the Dark Web.

Instead of physically inserting a piece of hardware into a device, the threat actors “inject” some malicious JavaScript code into a web page. The malicious code collects the victim’s credit card number and other personal information and sends the bundle of data to the threat actors.

Importantly, the same information is allowed to pass through to the rest of the website. The victim’s transaction is completed as if nothing untoward happened. As far as the merchant and the customer are concerned, everything worked exactly as expected. The order is placed, the goods are shipped, and no suspicions are raised.

With the introduction of contactless payment cards, physical card skimming became much more difficult. Ironically, that increase in security for physical uses of a payment card helped drive the switch to – and the rapid uptake of – formjacking.

Formjacking is so prevalent now that there are specialist cybercriminal collectives exclusively targeting e-commerce sites.

Magecart is a loose association of at least seven distinct hacking groups. It concentrates exclusively on formjacking. Magecart has conducted successful attacks against high-profile targets like British Airways, Ticketmaster, and Newegg.

How Does Formjacking Work?

Different techniques are used that lead to the same end result, the exfiltration of personal information and credit card details.

1. Embedding JavaScript Into the Code of a Website

The first technique is to embed JavaScript into the code of a website. This changes the functionality of the web page. The added code takes a copy of the sensitive data and sends it to the threat actors. The code is often obfuscated or encoded so that it can’t be directly read by a human without decoding it.

All e-commerce websites must interact with their payment card transaction processing partner. It might be a bank, a credit card company, or an accredited payment partner that sits between merchants and the credit card companies.

The payment partner will supply some form of payment gateway software that has to be included in the architecture of the website. Any words or variable names in the malicious JavaScript that by necessity are left in plain text are often given names that suggest the code is related to Google Analytics, to the payment gateway software, or to cookies.

The domains to which the data is sent often use names that can be misread if they are not carefully examined. Slight misspellings and substitutions, such as using an “i” instead of an “l,” can trick the reader into thinking the domain name is safe.

Here are some real-world examples that have been used in the past:

google-analyitics.org
google-analytics.cm
googietagmanagar.com
googlc-analytics.cm
api-googles.com
tracker-visitors.com

2. Loading a “Downloader” Script Into the Web Page

Another strategy is to load only a tiny “downloader” script into the web page. This small stub of code has only one job. When activated, it downloads the actual formjacking script from a remote hosting location. Threat actors have even used GitHub as the remote location for their malign scripts.

This downloading technique has the advantage that the threat actors can change the code in the malign JavaScript once, and all infected websites will automatically use the updated script the next time they download it.

If the JavaScript is coming from a server maintained by the threat actors, they can examine the meta-data in the request. They can check the IP address, the user-agent, and the referrer and decide whether to send back a malicious script, a clean script, or even nothing at all.

If they suspect the request has come from a security researcher trying to diagnose the attack, the threat actors will vary the responses sent back. This will prevent basic automation tools from analyzing the malicious script.

Cases have been seen where a deny-list on the threat actor’s server contained IP addresses owned by cybersecurity companies. The download of the JavaScript to these IP addresses was blocked.

3. Redirecting the User to a Deceptive Website

Another – albeit little-used – technique is to redirect the user to a look-alike website hosted on a server under the control of the threat actors and to return them to the real website once the data entry portion of the purchase has been completed.

Whichever method is used, the code is hooked into some user action, such as a button click on the web page.

Code is added to the website that adds to or replaces the genuine code that is activated when:

A form is submitted when the “Buy”, “Submit”, or similar button is clicked.
The “Enter” key is pressed, which can indicate a form submission.
Mouse button activity is detected.
A page load event is triggered to confirm an order has been placed.

Less commonly, the JavaScript can be timer-based. Every half a second or so, it will “scrape” a copy of the data out of the form and harvest it.

How Do Websites Become Infected?

Any modern, non-trivial website uses a lot of third-party modules and code to deliver the user the experience and functionality that they have come to expect from professional websites.

Formjackers exploit the same sort of vulnerabilities other cybercriminals look for.

Websites are often built on content management systems (CMS). Like all software, these can have vulnerabilities. Websites that don’t update to the latest version of the CMS will have vulnerabilities that can be exploited.
Any third-party code, plug-in, or other modules might have vulnerabilities in them. It’s important to keep these patched and up to date, along with the webserver operating system and the core web pages.
Vulnerabilities have been seen in the e-commerce software itself. These can lead to direct access to the transaction data without having to steal it from the data entered in a form.
Threat actors may try to gain administrative access to the web server by brute-forcing a password. They may try a password obtained from a previous data breach in the hope that the administrator has used the same password in more than one system.
Open-source software libraries and tools are being used more commonly than ever before. There have been cases where malicious code has been covertly included in a submission to an open-source project that has then been inadvertently included in the released product.
Web pages that display adverts have been infected when the threat actors manufactured an advert with a payload containing formjacking code. That advert was submitted to the advertising network, which then unwittingly distributed the tainted advert to thousands and thousands of websites.

How to Detect Formjacking

Formjacking has no visible signs that there is something wrong. The visitor to the website cannot spot if there is anything amiss. The merchant sees purchases coming through at the expected run rate.

If everything seems to be working, the assumption is everything’s OK. What is required is something that can scan and analyze the website to verify everything is OK.

File Integrity Monitoring

File Integrity Monitoring (FIM) is a software tool that scans a target set of files and folders and creates a record of their size, modification times, and other characteristics. This is recorded as the baseline.

If future scans detect any changes to the monitored files, an alert is raised. This works well for static sites, but sites that have dynamic content, such as shopping carts that change as a function of their normal operation, may confuse FIM systems.

The architecture of the website dictates where the dynamic changes take place. If they are purely in a back-end database, FIM will capture changes to web pages. But if some of the web pages are generated in real time, they cannot be base-lined. And so, an FIM system will not help.

Furthermore, an FIM system cannot detect threats that are embedded in third-party modules because the module will be base-lined with the threat already inside it.

So, for dynamic sites, FIM systems must be supplemented by a communications baseline and connection monitoring. This is effectively a set of allow lists and deny lists that accept or block communications from the website.

Normal web traffic is allowed. Outward connections that aren’t serving up web pages are compared to an allow list that contains the details of valid outbound connections that will be made by the website – including the third-party modules.

For example, connections from the payment gateway modules are characterized and listed in the allow list. Only connection attempts to the certified remote IP addresses and ports in the allow list are permitted.

Once all valid operational connections to and from the website have been identified, characterized, and added to the allow lists, the exfiltration of data by transmission becomes impossible.

Redirecting web pages is also blocked, and many of the incoming infection routes are blocked off automatically.

Other Formjacking Threats

Formjacking currently focuses on the theft of payment card data. It can, of course, be used to capture any type of data that is entered into an online form.

This could include online banking, healthcare information, and any type of login credentials. It may also be used to alter the data that is sent through to the genuine website.

For example, in electronic voting systems, the formjacking software could amend a certain percentage of the votes to sway the outcome.

Formjacking is a type of cybercrime that has a particularly insidious potential.