Formjacking: What is It and Why Do You Need to Protect Your Site Against It?

You may never have heard of the term ‘formjacking’—but that is about to change, as this new type of cyber-attack is becoming increasingly prevalent. Some people in the cyber security industry have suggested that formjacking is a virtual equivalent of cash point skimming.

One of the reasons that formjacking is so popular with cybercriminals is that it is almost impossible for users to know that they are being attacked until it is too late to do anything about it. Another reason is that it can be extremely lucrative, allowing criminals to steal lots of personal and financial data in a very short amount of time. With ecommerce businesses and web stores selling through single marketplaces, it has never been more important to be aware of these kinds of attacks, and what you can do about them.

What is Formjacking?

Highlighted as one of the fastest growing forms of cyber-attack, formjacking is considered to be relatively straightforward to carry out and it is almost impossible to detect by the individuals having their data targeted.

Typically, a cyber criminal injects a small piece of code into an ecommerce site and then waits for visitors to check out and pay. The code reads personal details (such as credit card information) as they are entered, and sends this data to the criminal. The transaction goes through as normal, and neither the victim nor the ecommerce site knows that any information has been intercepted and stolen.  Usually, it is not until they are the victim of fraud, that users know their information has been compromised and even then, most will be unaware of how it fell into the wrong hands.

For attackers, the success of formjacking rests on the ability to hide the inserting of malicious code and making it look harmless. However, if businesses don’t specifically look for them, these sorts of lines of code can be very difficult to spot.

Which Sites are Targeted?

Formjacking typically takes place against any organization that processes sensitive information. This is especially true of sites that process any kind of financial data such as credit card details. Naturally, this means that a lot of retail sites are targeted—but they are not the only ones. Other businesses commonly targeted by formjackers include services providers and transport companies.

The well-publicized Magecart attacks were formjacking campaigns that saw huge businesses including British Airways and Ticketmaster fall victim. Cybercriminals were able to compromise a plug-in which was used across a wide range of websites—BA and Ticketmaster were the two largest that lost customer information.

Why Has Formjacking Become So Common?

Formjacking is now an extremely common type of cyber-attack. By harvesting personal and financial data en masse, formjacking is highly lucrative for cybercriminals and for this reason it may soon be the case that there are more of these types of attacks than ransomware.

Ransomware attacks are particularly common during busy shopping periods such as Black Friday and Christmas, as these are the times that more people use ecommerce sites.

Why It’s Important to Protect Your Website

If you have a website and/or develop web applications that process the personal or financial details of individuals then you need to take the risk of formjacking seriously. It’s not just the risk associated with the financial damage to your business due to the attacks themselves, but also the untold damage to your reputation if individuals are targeted through your site.

You should also be aware that falling victim to formjacking could place you at risk from being fined under the General Data Protection Regulation (GDPR) for failing to take appropriate steps to protect personal data.

How to Protect Your Website Against Formjacking

Formjacking attacks can be very difficult to detect. One of the most effective ways to mitigate is to perform regular web application penetration testing. Web application testing is a proactive cybersecurity assessment in which an experienced cyber security professional will attempt to discover flaws in your systems that could be exploited by criminals.

Using a range of hacking techniques, web app testing will help to uncover any unauthorized third-party software code that has been added to your website or web application.

Sam Chester Avey has over a decade of experience in business growth management and cyber security. He enjoys sharing his knowledge with other like-minded professionals through his writing. Find out what else Chester has been up to on Twitter: @Chester15611376.

More useful eCommerce articles and infographics are coming your way. Follow CS-Cart on Facebook and Twitter not to miss them!