Formjacking

Why Trust Techopedia

What is Formjacking?

Formjacking is the software equivalent of credit card skimming. It is a portmanteau combining “form” with part of “hi-jacking.” It steals credit card details from online forms, usually on e-commerce sites. Affected websites still operate as normal, making it difficult to detect. What is formjacking? It is the invisible thief.

Advertisements

Credit card skimming is the theft of credit card details from physical machines such as ATMs. The threat actors introduce a piece of physical hardware either inside the ATM or over an external element of it.

The illegal device takes a copy of the data from the strip on each card used in the ATM. This includes:

  • The credit card number
  • The expiration date
  • The cardholder’s full name

It is also common to install a pinhole camera and point it at the keypad. The camera captures the 4-digit Personal Identification Number (PIN).

Instead of targeting physical devices, formjacking targets forms on e-commerce websites. From the threat actor’s point of view, these forms are a perfect target. They gather personal information about the user and their credit card details.

This provides cyber criminals with everything they need to perform Cardholder Not Present (CNP) credit card fraud. The threat actors seldom abuse the credit card themselves. Instead, they sell all the harvested card details on the Dark Web.

Instead of physically inserting a piece of hardware into a device, the threat actors “inject” some malicious JavaScript code into a web page. The malicious code collects the victim’s credit card number and other personal information and sends the bundle of data to the threat actors.

Importantly, the same information is allowed to pass through to the rest of the website. The victim’s transaction is completed as if nothing untoward happened. As far as the merchant and the customer are concerned, everything worked exactly as expected. The order is placed, the goods are shipped, and no suspicions are raised.

With the introduction of contactless payment cards, physical card skimming became much more difficult. Ironically, that increase in security for physical uses of a payment card helped drive the switch to – and the rapid uptake of – formjacking.

Formjacking is so prevalent now that there are specialist cybercriminal collectives exclusively targeting e-commerce sites.

Techopedia Explains the Formjacking Meaning

Techopedia Explains the Formjacking Meaning

A cyberattack where hackers inject malicious code into online forms on legitimate websites to steal users’ sensitive information.

The formjacking definition is a cyberattack where malicious JavaScript code is injected into the online forms of legitimate websites to steal users’ sensitive information. This can include payment details, personal identification numbers, and other private data. The stolen information is secretly transmitted to the attacker’s server as users submit their forms.

Unlike other cyber threats like phishing or ransomware, formjacking targets legitimate websites, making them harder to detect. It silently captures data without disrupting user access, allowing continuous and unnoticed data theft, which sets it apart from more immediate threats like viruses.

So what’s the meaning of formjacking? It means you always need to stay on your toes when entering details online.

How Does Formjacking Work?

How Does Formjacking Work?

Different techniques are used, but they all lead to the same end result: the exfiltration of personal information and credit card details.

1. Embedding JavaScript Into the Code of a Website

The first technique is to embed JavaScript into a website’s code. This changes the page’s functionality. The added code takes a copy of the sensitive data and sends it to the threat actors. The code is often obfuscated or encoded so that it can’t be directly read by a human without decoding it.

All e-commerce websites must interact with their payment card transaction processing partner. It might be a bank, a credit card company, or an accredited payment partner that sits between merchants and the credit card companies.

The payment partner will supply some form of payment gateway software that has to be included in the website’s architecture. Any words or variable names in the malicious JavaScript that by necessity are left in plain text are often given names that suggest the code is related to Google Analytics, to the payment gateway software, or to cookies.

The domains to which the data is sent often use names that can be misread if they are not carefully examined. Slight misspellings and substitutions, such as using an “i” instead of an “l,” can trick the reader into thinking the domain name is safe.

Here are some real-world examples that have been used in the past:

  • google-analyitics.org
  • google-analytics.cm
  • googietagmanagar.com
  • googlc-analytics.cm
  • api-googles.com
  • tracker-visitors.com

2. Loading a “Downloader” Script Into the Web Page

Another strategy is to load only a tiny “downloader” script into the web page. This small stub of code has only one job. When activated, it downloads the actual formjacking script from a remote hosting location. Threat actors have even used GitHub as the remote location for their malign scripts.

This downloading technique has the advantage that the threat actors can change the code in the malign JavaScript once, and all infected websites will automatically use the updated script the next time they download it.

If the JavaScript is coming from a server maintained by the threat actors, they can examine the meta-data in the request. They can check the IP address, the user-agent, and the referrer and decide whether to send back a malicious script, a clean script, or even nothing at all.

If they suspect the request has come from a security researcher trying to diagnose the attack, the threat actors will vary the responses sent back. This will prevent basic automation tools from analyzing the malicious script.

There have been cases where a deny list on the threat actor’s server contained IP addresses owned by cybersecurity companies. The download of JavaScript to these IP addresses was blocked.

3. Redirecting the User to a Deceptive Website

Another – albeit little-used – technique is to redirect the user to a look-alike website hosted on a server under the control of the threat actors and to return them to the real website once the data entry portion of the purchase has been completed.

Whichever method is used, the code is hooked into some user action, such as a button click on the web page.

Code is added to the website that adds to or replaces the genuine code that is activated when:

  • A form is submitted when the “Buy”, “Submit”, or similar button is clicked.
  • The “Enter” key is pressed, which can indicate a form submission.
  • Mouse button activity is detected.
  • A page load event is triggered to confirm an order has been placed.

Less commonly, the JavaScript can be timer-based. Every half a second or so, it will “scrape” a copy of the data out of the form and harvest it.

What is Magecart?

Magecart refers to a coalition of multiple cybercriminal groups that specialize in digital credit card theft by using formjacking techniques. These groups inject malicious JavaScript code into the payment forms of e-commerce websites to siphon credit card data during transactions.

They exploit vulnerabilities across various web platforms, including third-party components integrated into multiple e-commerce sites. This method allows them to perform wide-reaching attacks that can simultaneously affect multiple websites, increasing their potential to steal massive amounts of data.

Magecart attacks have successfully breached both major retailers and smaller online stores, showing off their capability to adapt and refine their strategies in response to evolving security measures. This adaptability and their persistent threat to online commerce really show the need for more robust and constant cybersecurity defenses tailored against such specialized forms of hacking.

How Do Websites Become Infected?

Any modern, non-trivial website uses many third-party modules and code to deliver the user the experience and functionality that they have come to expect from professional websites.

Formjackers exploit the same sort of vulnerabilities other cybercriminals look for.

Vulnerabilities in Content Management Systems (CMS)
Websites are often built on content management systems (CMS). Like all software, these can have vulnerabilities. Websites that don’t update to the latest version of the CMS will have vulnerabilities that can be exploited.

Risks Associated with Third-Party Codes and Plugins
Any third-party code, plug-in, or other modules might have vulnerabilities in them. It’s important to keep these patched and up to date, along with the webserver operating system and the core web pages.

E-commerce Software Vulnerabilities
Vulnerabilities have been seen in the e-commerce software itself. These can lead to direct access to the transaction data without having to steal it from the data entered in a form.
Brute-Force Attacks on Administrative Access
Threat actors may try to gain administrative access to the web server by brute-forcing a password. They may try a password obtained from a previous data breach in the hope that the administrator has used the same password in more than one system.
Risks of Malicious Code in Open Source Software
Open source software libraries and tools are being used more commonly than ever before. There have been cases where malicious code has been covertly included in a submission to an open source project that has then been inadvertently included in the released product.
Advert-Related Web Page Infections
Web pages that display adverts have been infected when the threat actors manufactured an advert with a payload containing formjacking code. That advert was submitted to the advertising network, which then unwittingly distributed the tainted advert to thousands and thousands of websites.

How to Detect Formjacking

Formjacking has no visible signs that something is wrong, so the website visitor cannot tell if anything is amiss. The merchant sees purchases coming through at the expected run rate.

If everything seems to be working, the assumption is everything’s OK. What is required is something that can scan and analyze the website to verify everything is OK.

File Integrity Monitoring

File Integrity Monitoring (FIM) is a software tool that scans a target set of files and folders and creates a record of their size, modification times, and other characteristics. This is recorded as the baseline.

If future scans detect any changes to the monitored files, an alert is raised. This works well for static sites, but sites that have dynamic content, such as shopping carts that change as a function of their normal operation, may confuse FIM systems.

The website’s architecture dictates where the dynamic changes take place. If they are purely in a back-end database, FIM will capture changes to web pages. But if some of the web pages are generated in real time, they cannot be baselined, and so an FIM system will not help.

Furthermore, an FIM system cannot detect threats that are embedded in third-party modules because the module will be base-lined with the threat already inside it.

So, for dynamic sites, FIM systems must be supplemented by a communications baseline and connection monitoring. This is effectively a set of allow lists and deny lists that accept or block communications from the website.

Normal web traffic is allowed. Outward connections that aren’t serving up web pages are compared to an allowed list that contains the details of valid outbound connections that will be made by the website – including the third-party modules.

For example, connections from the payment gateway modules are characterized and listed in the allow list. Only connection attempts to the certified remote IP addresses and ports in the allow list are permitted.

Once all valid operational connections to and from the website have been identified, characterized, and added to the allowed lists, the exfiltration of data by transmission becomes impossible.

Redirecting web pages is also blocked, and many of the incoming infection routes are blocked off automatically.

Other Formjacking Threats

Formjacking currently focuses on the theft of payment card data. However, it can, of course, be used to capture any type of data entered into an online form.

This could include online banking, healthcare information, and any type of login credentials. It may also be used to alter the data that is sent through to the genuine website.

For example, in electronic voting systems, the formjacking software could amend a certain percentage of the votes to sway the outcome.

Formjacking is a type of cybercrime that has a particularly insidious potential.

How to Prevent Formjacking

Preventing formjacking involves a combination of proactive security measures and best practices that both developers and website administrators can implement to safeguard their websites.

Here are key recommendations to help protect against this type of cyberattack:

How to Prevent Formjacking

Regular Security Audits
Conduct thorough and regular audits of your website’s code and third-party services to identify and address vulnerabilities that could be exploited for formjacking.

Content Security Policy (CSP)
Implement CSP headers to restrict the sources from which scripts can be loaded. This helps prevent the execution of unauthorized scripts that could be used for formjacking.

Subresource Integrity (SRI)
Use SRI to ensure that files fetched from third-party servers have not been tampered with. SRI uses cryptographic hashes to verify the integrity of the content received from external sources.

Monitor and Update Software
Keep all software, including CMS platforms, plugins, and third-party services, up to date with the latest security patches. Outdated software is a common entry point for attackers.

Secure Data Transmission
Encrypt all data transmitted via forms using HTTPS to prevent interceptions during transmission.
Employee Training
Educate your development and administrative teams about the risks of formjacking and the importance of following security best practices in their daily operations.

    By integrating these strategies into your website management and development processes, you can reduce the risk of being victim to formjacking attacks and ensure the security of your users’ sensitive information.

    Formjacking Examples

    Below are some notable real-world examples of formjacking incidents, highlighting the consequences and the lessons learned from each event.

    British Airways (2018)Ticketmaster (2018)Newegg (2018)Multiple Universities (2019)

    Consequences: Hackers stole personal and payment information from approximately 380,000 transactions and the company faced a £183 million fine under GDPR regulations.

    Lessons Learned: Emphasized the need for robust security measures on payment processing systems and compliance with data protection regulations.

    Consequences: The personal and payment details of thousands of customers were compromised over several months.

    Lessons Learned: Highlighted vulnerabilities in third-party components of websites and the importance of monitoring and securing these elements.

    Consequences: Credit card information of potentially millions of customers was stolen over a month by Magecart attackers.

    Lessons Learned: Demonstrated the importance of early detection and rapid response to security breaches to minimize damage.

    Consequences: Magecart groups targeted over 60 universities and online retailers, stealing countless payment details.

    Lessons Learned: Showed the broad scope of formjacking threats and the need for cross-industry cybersecurity awareness and training.

    The Bottom Line

    Understanding and preventing formjacking is important for the security of both individuals and businesses involved in online transactions. This type of cyberattack, which involves the theft of sensitive information through compromised web forms, poses a serious risk to personal and financial data.

    By recognizing the methods used by attackers, such as injecting malicious code into legitimate websites, organizations can better defend against these insidious threats.

    Preventive measures, including regular security audits, the use of Content Security Policies, and educating employees about cybersecurity risks, are necessary. These steps help safeguard data and maintain the trust of users who engage with online services.

    The threat of formjacking will most definitely continue and evolve as e-commerce and online financial transactions continue to grow. Cybersecurity strategies will need to be constantly updated to keep pace with the sophisticated techniques developed by attackers.

    FAQs

    What is formjacking in simple terms?

    How do you protect against formjacking?

    What type of attack occurs when an attacker captures credit card information?

    What is an example of Formjacking?

    How does Magecart work?

    Advertisements

    Related Questions

    Related Terms

    Marshall Gunnell
    IT & Cybersecurity Expert
    Marshall Gunnell
    IT & Cybersecurity Expert

    Marshall, a Mississippi native, is a dedicated expert in IT and cybersecurity with over a decade of experience. Along Techopedia, his bylines can be found on Business Insider, PCWorld, VGKAMI, How-To Geek, and Zapier. His articles have reached a massive readership of over 100 million people. Marshall previously served as the Chief Marketing Officer (CMO) and technical staff writer at StorageReview, providing comprehensive news coverage and detailed product reviews on storage arrays, hard drives, SSDs, and more. He also developed sales strategies based on regional and global market research to identify and create new project initiatives.  Currently, Marshall resides in…