What is formjacking, and how does it work?

What is a formjacking attack?

The formjacking hit list can consist of any type of service featuring forms. For instance, healthcare websites could use forms to book appointments. Such forms are likely to request highly confidential information, and it might be appealing to criminals.

Formjacking is a universal threat, not limited to online retail stores. It can compromise any form page and leave little to no signs of the injected formjacking code.

If this attack strategy sounds familiar, it might be because of the notorious Magecart attack. In 2015, this campaign made headlines, compromising forms in some of the biggest retail, travel, and ticket sales providers. Unfortunately, Magecart continues to menace services, recently targeting supply chains. These attacks use formjacking to insert malicious codes and funnel valuable information.

How does formjacking work?

Formjacking can be highly profitable due to its stealthiness and undemanding execution. Let’s look into a formjacking attack from the users’ point of view:

1. A user visits an online store and picks out items to buy.
2. From the cart, the user gets redirected to a checkout page.
3. The form, URL, and everything else seem safe.
4. However, hackers have used cross-site scripting to inject malicious JavaScript code into the website. The script can contain as few as 22 lines. Malicious JavaScript code can be invisible and impossible to detect.
5. The user fills in all required fields and submits the form. This information can include names, addresses, phone numbers, credit card details, and more.
6. The transaction goes without issues, and the online store processes your order.
7. Unfortunately, the malicious JavaScript code sends all submitted details to the people behind the attack.
8. There might be no signs of formjacking until you notice its consequences. These can refer to identity theft or unknown payments from your card.

How do hackers infect forms?

A popular formjacking strategy involves targeting extensions and plugins used on online stores and content management systems (CMSs). Most such hacking attempts are possible due to vulnerabilities in the underlying software. In other words, attackers could exploit, say, a specific WordPress plugin to compromise the website’s forms.

Therefore, website owners must update their CMS and e-commerce platforms. Some online tools can also help monitor site modifications or incoming and outgoing data.

Who is susceptible to formjacking?

It can be easy to assume that formjacking targets smaller businesses and websites. The assumption would be that such services do not have advanced site protections. Sadly, even highly-trusted websites have felt the rampage of these attacks.

In 2018, Magecart siphoned payment and personal information from over 380,000 British Airways users. This means that even larger companies with plenty of resources can suffer from formjacking.

How many websites does formjacking target?

The scope of formjacking can be challenging to estimate. However, reports showcase alarming numbers:

• In 2019, Symantec reported that more than 4,800 websites had their forms targeted monthly.
• In 2020, Symantec shared numbers on the attacks in Q1 2020, with 7,836 websites getting compromised.
• Symantec also revealed which countries hackers target most frequently. These include the United Kingdom, Canada, the United States, France, Brazil, India, Thailand, and Australia.

How to detect formjacking and compromised forms

Unfortunately, users can’t always recognize a formjacking attack before it is too late. Unlike many other online attacks, it has no evident signs.

For instance, phishing or different scams have particular red flags like suspicious URLs or sloppy writing. However, formjacking code is sneaky, letting users fulfill their goals (like paying for items) while it steals submitted data.

So, sophisticated formjacking usually leaves no traces from the visitors’ point of view. Website owners are solely responsible for detecting and mitigating malicious JavaScript scripts.

Luckily, there are ways to shop safely and prevent data transfers to unknown sources:

• Tech-savvy users can inspect website code via browsers’ tools. However, hackers know how to disguise their code as standard operations.
• Users should prefer purchasing goods from well-known shops with quality protection and monitoring.
• Buyers should use credit cards with 3D Secure protection. It means transactions get confirmed only after users provide a unique code as confirmation.

What to do if you become a victim of formjacking

Users might realize that formjacking has stolen their credit card details or other information only after noticing the damage. Here are some recommendations for dealing with unknown parties and their abuse of your data:

• Contact the web owners if you can guess the website with a compromised form. You can protect other buyers or visitors from suffering the same fate. Usually, web owners will need to patch vulnerabilities and update software.
• Cancel the bank card which shows suspicious activities and transactions. Do this by contacting your bank.
• Protect the data you revealed in the form. For instance, Social Security Numbers could have been a required field. Luckily, you can freeze SSNs until the issue is resolved.
• See whether your data and accounts are safe. It is possible that formjacking managed to get information on other accounts you own, like email addresses. Monitor whether they or accounts associated with your email are safe.