What is formjacking?
Formjacking is part of a larger group of attacks known as “supply chain attacks” where hackers target a vulnerable provider within the service/supply chain. In the case of formjacking attacks that seek to siphon credit card numbers, the provider is typically a payment processor.
E-commerce skimming attacks
As predicted, the move to EMV, or “chip,” security in payment cards has shifted criminals’ efforts away from card-present fraud–such as card skimming–and put the focus on e-commerce. Attackers will take a “shotgun” approach, compromising as many websites as possible at a time, hoping that some might turn out to be lucrative.
Formjacking attacks are “insidious and nasty, yet so simple,” according to SecurityMetrics CEO Brad Caldwell. All cybercriminals have to do is load malicious code into e-commerce shopping cart pages, disguise them well enough to be missed, and wait for the submissions to come in. In some cases, malicious code is disguised as a google tag or as a domain that sounds related to the website or payment processor.
Symantec reported that on average, 4,800 unique websites are compromised with formjacking code each month. This ongoing, lucrative effort by cybercriminals targets providers of all sizes. Recent research by RiskIQ reported that such attacks by the “Magecart” group are actually much more widespread than initially believed.
What is Magecart?
Known to be active since 2015, "Magecart" refers to at least seven different hacking groups and has become a household name in recent years as these groups were responsible for the well-known cyberattacks on large companies including British Airways, Ticketmaster, and Newegg.
Magecart attackers are best known for hacking into Magento shopping cart pages, but they are not limited to just payment card data. Formjacking has been discovered on all types of pages and sites: healthcare sites, login pages, etc.
Skimming through malicious adware, or "malware"
We have seen attackers hack into ad networks and we have also seen more sophisticated hackers invent entire products to trick ad companies into accepting their malicious ads. This is a brilliant strategy on the part of the hacker–they build one tool (their "ad" laced with malicious code) and a third party (the ad network) distributes the tool to hundreds of websites.
How to detect formjacking
Formjacking has no telltale signs. There is no way for a consumer to detect a formjacking attack while it’s happening, and it’s very difficult for the merchant or payment processor to pick up on. With formjacking, any provider that is “downstream” from the affected website can also be affected without the provider’s knowledge.
When the code on a webpage is compromised, you don’t have typical hints–such as a spoofed URL or non-secure WiFi connection–to alert you that something is wrong. It can take many hours of manual research and work to discover and remove malicious code.
Some companies claim that products like antivirus or scanning software can detect instances of malicious code insertion, but that is not always the case.
A high-end antivirus software may provide some protection for the consumer, but the most commonly used tool to detect unwanted changes to your environment is file integrity monitoring (FIM). When FIM is deployed it will alert you when it observes changes to the files and/or folders you have set it to monitor.
Traditional FIM tools will monitor executable files, folders, system configuration files, content files, zipped files, etc. FIM is effective at detecting changes to otherwise unchanging environments. But FIM can’t help you detect changes that are made to dynamic environments, such as shopping carts, databases, and the like. Since these environments are almost constantly changing, FIM has no baseline, and therefore cannot function as an intrusion detection tool.
How to protect against formjacking
SecurityMetrics’ Webpage Integrity Monitoring (WIM) product is built on a patented technology able to find and mitigate malicious injected code on webpages. SecurityMetrics is currently conducting a pilot program with a select few corporations.
If you are interested in participating in the WIM pilot program, or would like to know more about WIM, please contact our forensics department here, or email firstname.lastname@example.org.
David Ellis (GCIH, QSA, PFI, CISSP) is VP of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.