BLOG HOME > What is Formjacking?

What is Formjacking?

By: David Ellis
VP, Investigations

What is formjacking? 

Formjacking is a type of cyber attack where hackers inject malicious JavaScript code into a webpage form–most often a payment page form. When a site visitor enters their payment card information and hits submit, that malicious code collects the payment card number–as well as other information like the customer’s name, address, and phone number. The code then sends this information to another location of the attackers’ choosing. 

Formjacking is part of a larger group of attacks known as “supply chain attacks” where hackers target a vulnerable provider within the service/supply chain. In the case of formjacking attacks that seek to siphon credit card numbers, the provider is typically a payment processor. 

Forensic Webinar: What Happened in 2018 & Predictions for 2019

Watch Here

A focus on e-commerce attacks

As predicted, the move to EMV, or “chip,” security in payment cards has shifted criminals’ efforts away from card-present fraud and put the focus on e-commerce. Attackers will take a “shotgun” approach, compromising as many websites as possible at a time, hoping that some might turn out to be lucrative. 

Formjacking attacks are “insidious and nasty, yet so simple,” according to SecurityMetrics CEO Brad Caldwell. All cybercriminals have to do is load malicious code into e-commerce shopping cart pages, disguise them well enough to be missed, and wait for the submissions to come in. In some cases, malicious code is disguised as a google tag or as a domain that sounds related to the website or payment processor. 

Symantec reported that on average, 4,800 unique websites are compromised with formjacking code each month. This ongoing, lucrative effort by cybercriminals targets providers of all sizes. Recent research by RiskIQ reported that such attacks by the “Magecart” group are actually much more widespread than initially believed. 

How to detect formjacking

Formjacking has no telltale signs. There is no way for a consumer to detect a formjacking attack while it’s happening, and it’s very difficult for the merchant or payment processor to pick up on. With formjacking, any provider that is “downstream” from the affected website can also be affected without the provider’s knowledge. 

When the code on a webpage is compromised, you don’t have typical hints–such as a spoofed URL or non-secure WiFi connection–to alert you that something is wrong. It can take many hours of manual research and work to discover and remove malicious code. 

Some companies claim that products like antivirus or scanning software can detect instances of malicious code insertion, but that is not always the case. 

Have an Upcoming PCI Audit Deadline?

Request a Quote Here

Why traditional security measures don’t stop formjacking

The most commonly used tool to detect unwanted changes to your environment is file integrity monitoring (FIM). When FIM is deployed it will alert you when it observes changes to the files and/or folders you have set it to monitor.  

Traditional FIM tools will monitor executable files, folders, system configuration files, content files, zipped files, etc. FIM is effective at detecting changes to otherwise unchanging environments. But FIM can’t help you detect changes that are made to dynamic environments, such as shopping carts, databases, and the like. Since these environments are almost constantly changing, FIM has no baseline, and therefore cannot function as an intrusion detection tool.

SecurityMetrics’ Webpage Integrity Monitoring  

SecurityMetrics’ Webpage Integrity Monitoring (WIM) product is a patented technology able to find and mitigate malicious injected code on webpages. SecurityMetrics is currently conducting a pilot program with a select few corporations. 

If you are interested in participating in the WIM pilot program, or would like to know more about WIM, please contact our forensics department here, or email 

David Ellis (GCIH, QSA, PFI, CISSP) is VP of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

Join Thousands of Security Professionals and Subscribe


We are excited to work with you.


Thank you!

Your request has been submitted.