Formjacking attacks compromised over 50,000 retailer websites in 2018

News by Jay Jay

Cyber-criminals are continuing to exploit online shopping carts through a technique called 'formjacking' despite high-profile examples and publicity around Magecart and other threat actors.

Formjacking enables an attacker to siphon credit card data the moment it is entered (Pic: Tetra Images/Getty Images)

A massive slump in the value of cryptocurrencies coupled with decreasing effectiveness of ransomware attacks has forced cyber-criminals to employ a new technique named formjacking to steal payment card details and other personal information of people from e-commerce websites.

Formjacking involves attackers inserting malicious code into retailers’ websites to steal shoppers’ payment card details and other personal information that people fill in while making purchases or signing up on e-commerce websites.  

This form of attack came into prominence last year when well-known organisations such as TicketMaster UK, Newegg, Home Depot, Target and British Airways suffered massive breaches after a hacker group called Magecart inserted malicious code into their websites to steal payment card information of hundreds of thousands of customers.

"Magecart injects scripts designed to steal sensitive data that consumers enter into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites. Recently, Magecart operatives placed one of these digital skimmers on Ticketmaster websites through the compromise of third-party functionality resulting in a high-profile breach of Ticketmaster customer data," noted researchers at RiskIQ.

Similarly, the hacker group used 22 lines of malicious script to modify genuine scripts on the British Airways website and extracted information from payment forms before transferring such information to a remote server. Using this tactic, the hackers stole over 380,000 credit card details and netted more than £13 million.

According to Symantec's new Internet Security Threat Report, cyber-criminals are using formjacking techniques to compromise more than 4,800 unique retailer websites every month while significantly increasing the number of such attacks by several times during online shopping seasons when retailer websites generate a lot more traffic than in any other period.

Even though a lot of people are now aware of how this technique enabled hackers to target websites owned by major organisations, Symantec noted that websites owned by small and medium-size retailers are, by and large, the most widely compromised using this technique.

"Formjacking represents a serious threat for both businesses and consumers. Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft," said Greg Clark, CEO of Symantec.

"For enterprises, the skyrocketing increase in formjacking reflects the growing risk of supply chain attacks, not to mention the reputational and liability risks businesses face when compromised."

Even though cyber-criminals are constantly targeting poorly configured S3 public cloud storage buckets to obtain personal and financial records of millions of people, they have showed great interest in formjacking as they make as much as £35 on the Dark Web for each credit card record they steal.

The fact that Symantec blocked more than 3.7 million formjacking attack attempts in 2018 shows how lucrative this technique has become for hackers.

"Formjacking is akin to virtual ATM skimming. There are a limited number of groups conducting these kinds of attacks, but those that do are carrying out large-scale campaigns," said Orla Cox, director of security response at Symantec, told SC Media UK. She said that the challenge for website owners is that it’s not always obvious that the site is compromised. The browser padlock will remain intact and everything will work fine. However, users will have no idea what's going on in the background.

"Retailers have a duty to ensure that their website is properly patched against these kinds of attacks and they have a security tool in place to monitor for exfiltration of data. When it comes to third parties, things get a bit trickier. We're seeing more and more of these kinds of attacks as hackers look for different routes in. Retailers need to make sure they are using reputable providers and are checking in regularly to ensure they have proper security measures in place," Cox added.

According to Javvad Malik, security advocate at AlienVault, since most cyber-attacks are asymmetric, most businesses are unable to defend against such threats as security is not embedded into code development, testing, deployment and architecture.

"Underpinning this would be good monitoring and threat detection capabilities so that threats can be detected in a timely manner – be they outside attacks, user error or unscheduled changes. If a website that processes payments has a code change, monitoring controls should flag that a change has been made, and security teams or system owners should validate the change for appropriateness," he said.

According to Ksenia Peguero, senior research lead at Synopsys, developers and companies usually trust data that is coming from a content delivery network (CDN). But once a CDN gets infected by malware, the scripts it is serving will likely be used by more than one application. Therefore, compromising a CDN provides a wider attack surface.

"We always talk about how we need to do composition analysis and understand what open source libraries we are bringing into our commercial products. But on top of that we should conduct composition analysis and security evaluation of the third-party libraries constantly, as they may be modified by attackers if the storage location such as a CDN or even an internal server is infected by malware or compromised in another way," Peguero added.  

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews