What is formjacking?
Formjacking is part of a larger group of attacks known as “supply chain attacks” where hackers target a vulnerable provider within the service/supply chain. In the case of formjacking attacks that seek to siphon credit card numbers, the provider is typically a payment processor.
A focus on e-commerce attacks
As predicted, the move to EMV, or “chip,” security in payment cards has shifted criminals’ efforts away from card-present fraud and put the focus on e-commerce. Attackers will take a “shotgun” approach, compromising as many websites as possible at a time, hoping that some might turn out to be lucrative.
Formjacking attacks are “insidious and nasty, yet so simple,” according to SecurityMetrics CEO Brad Caldwell. All cybercriminals have to do is load malicious code into e-commerce shopping cart pages, disguise them well enough to be missed, and wait for the submissions to come in. In some cases, malicious code is disguised as a google tag or as a domain that sounds related to the website or payment processor.
Symantec reported that on average, 4,800 unique websites are compromised with formjacking code each month. This ongoing, lucrative effort by cybercriminals targets providers of all sizes. Recent research by RiskIQ reported that such attacks by the “Magecart” group are actually much more widespread than initially believed.
How to detect formjacking
Formjacking has no telltale signs. There is no way for a consumer to detect a formjacking attack while it’s happening, and it’s very difficult for the merchant or payment processor to pick up on. With formjacking, any provider that is “downstream” from the affected website can also be affected without the provider’s knowledge.
When the code on a webpage is compromised, you don’t have typical hints–such as a spoofed URL or non-secure WiFi connection–to alert you that something is wrong. It can take many hours of manual research and work to discover and remove malicious code.
Some companies claim that products like antivirus or scanning software can detect instances of malicious code insertion, but that is not always the case.
Why traditional security measures don’t stop formjacking
The most commonly used tool to detect unwanted changes to your environment is file integrity monitoring (FIM). When FIM is deployed it will alert you when it observes changes to the files and/or folders you have set it to monitor.
Traditional FIM tools will monitor executable files, folders, system configuration files, content files, zipped files, etc. FIM is effective at detecting changes to otherwise unchanging environments. But FIM can’t help you detect changes that are made to dynamic environments, such as shopping carts, databases, and the like. Since these environments are almost constantly changing, FIM has no baseline, and therefore cannot function as an intrusion detection tool.
SecurityMetrics’ Webpage Integrity Monitoring
SecurityMetrics’ Webpage Integrity Monitoring (WIM) product is a patented technology able to find and mitigate malicious injected code on webpages. SecurityMetrics is currently conducting a pilot program with a select few corporations.
If you are interested in participating in the WIM pilot program, or would like to know more about WIM, please contact our forensics department here, or email email@example.com.
David Ellis (GCIH, QSA, PFI, CISSP) is VP of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.