BLOG HOME > Cybersecurity > What is Formjacking?

What is Formjacking?

By: David Ellis
VP, Investigations

What is formjacking? 

Formjacking is a type of cyber attack where hackers inject malicious JavaScript code into a webpage form–most often a payment page form. When a site visitor enters their payment card information and hits submit, that malicious code collects the payment card number–as well as other information like the customer’s name, address, and phone number. The code then sends this information to another location of the attackers’ choosing. 

Formjacking is part of a larger group of attacks known as “supply chain attacks” where hackers target a vulnerable provider within the service/supply chain. In the case of formjacking attacks that seek to siphon credit card numbers, the provider is typically a payment processor. 

Forensic Webinar: What Happened in 2018 & Predictions for 2019

Watch Here

E-commerce skimming attacks

As predicted, the move to EMV, or “chip,” security in payment cards has shifted criminals’ efforts away from card-present fraud–such as card skimming–and put the focus on e-commerce. Attackers will take a “shotgun” approach, compromising as many websites as possible at a time, hoping that some might turn out to be lucrative. 

Formjacking attacks are “insidious and nasty, yet so simple,” according to SecurityMetrics CEO Brad Caldwell. All cybercriminals have to do is load malicious code into e-commerce shopping cart pages, disguise them well enough to be missed, and wait for the submissions to come in. In some cases, malicious code is disguised as a google tag or as a domain that sounds related to the website or payment processor. 

Symantec reported that on average, 4,800 unique websites are compromised with formjacking code each month. This ongoing, lucrative effort by cybercriminals targets providers of all sizes. Recent research by RiskIQ reported that such attacks by the “Magecart” group are actually much more widespread than initially believed. 

What is Magecart?

Known to be active since 2015, "Magecart" refers to at least seven different hacking groups and has become a household name in recent years as these groups were responsible for the well-known cyberattacks on large companies including British Airways, Ticketmaster, and Newegg.

Magecart attack methods involve browser-based injection of malicious Javascript code, often well-disguised as a Google tag or other common website analytics code snippet. This malicious code "skims" form entry fields for payment card data, names, addresses, and even personal information or protected health information (PHI)–depending on what type of website is attacked.

Magecart attackers are best known for hacking into Magento shopping cart pages, but they are not limited to just payment card data. Formjacking has been discovered on all types of pages and sites: healthcare sites, login pages, etc. 

Skimming through malicious adware, or "malware"

One way hackers introduce Javascript skimming onto e-commerce pages is through scrolling or rotating ads. When a scrolling ad network introduces malware, we typically see intermittent card data loss. Within a period of a few minutes, a customer's credit card and personal information can be siphoned. 

We have seen attackers hack into ad networks and we have also seen more sophisticated hackers invent entire products to trick ad companies into accepting their malicious ads. This is a brilliant strategy on the part of the hacker–they build one tool (their "ad" laced with malicious code) and a third party (the ad network) distributes the tool to hundreds of websites.

How to detect formjacking

Formjacking has no telltale signs. There is no way for a consumer to detect a formjacking attack while it’s happening, and it’s very difficult for the merchant or payment processor to pick up on. With formjacking, any provider that is “downstream” from the affected website can also be affected without the provider’s knowledge. 

When the code on a webpage is compromised, you don’t have typical hints–such as a spoofed URL or non-secure WiFi connection–to alert you that something is wrong. It can take many hours of manual research and work to discover and remove malicious code. 

Some companies claim that products like antivirus or scanning software can detect instances of malicious code insertion, but that is not always the case. 

Webpage Integrity Monitoring (Formjacking Detection)

Learn More

Why traditional security measures don’t stop formjacking or "Javascript skimming"

A high-end antivirus software may provide some protection for the consumer, but the most commonly used tool to detect unwanted changes to your environment is file integrity monitoring (FIM). When FIM is deployed it will alert you when it observes changes to the files and/or folders you have set it to monitor.  

Traditional FIM tools will monitor executable files, folders, system configuration files, content files, zipped files, etc. FIM is effective at detecting changes to otherwise unchanging environments. But FIM can’t help you detect changes that are made to dynamic environments, such as shopping carts, databases, and the like. Since these environments are almost constantly changing, FIM has no baseline, and therefore cannot function as an intrusion detection tool.

How to protect against formjacking 

SecurityMetrics’ Webpage Integrity Monitoring (WIM) product is built on a patented technology able to find and mitigate malicious injected code on webpages. SecurityMetrics is currently conducting a pilot program with a select few corporations. 

If you are interested in participating in the WIM pilot program, or would like to know more about WIM, please contact our forensics department here, or email 

David Ellis (GCIH, QSA, PFI, CISSP) is VP of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.

Join Thousands of Security Professionals and Subscribe