The truth about formjacking

The truth about formjacking

Each month, criminals infiltrate nearly five thousand websites using a type of cyber attack known as formjacking. Any business with an online presence is at risk, ranging from small to enterprise companies across every industry, such as banking, retail, or travel. Major attacks this year included British Airways, Home Depot, Target, and Ticketmaster.

What is formjacking?

Cybercriminals first gain access to a website via a vulnerability in its application code or by compromising a third-party tag used to add functionality,  such as a chatbot or remarketing script. Next, hackers inject malicious code designed to skim credit card, social security, or login credential data, as well as other personally identifiable information (PII) from online forms. When a customer visits the infected page and enters their data, their information is transmitted to both the legitimate business and the cybercriminal simultaneously.

The average duration a formjacking attack is able to operate before detection is 12.7 days. A 2018 attack on British Airways lasted 15 days and as a result, the company now faces more than $230 million in fines.

It’s often difficult to perform routine security checks to protect against formjacking attacks because they aren’t taking place on the server, but in the visitor’s browser, making it a threat that is often well-disguised. When hackers embed a malicious script to skim sensitive information, they often pair it with code that hides their actions if it detects the presence of debugging tools — in other words, discovering them is extremely difficult.

In the case of British Airways, hackers used legitimate SSL certificates and domain names similar to the legitimate BA domain — for example aways.com — to help hide their criminal activity from the unsuspecting parties. Transactions were secure, customers received their airline ticket confirmations, and the airline received payments. On the surface, everything appeared to be business as usual. Meanwhile, hackers stole data from an estimated 380,000 customers.

And using PayPal or other offsite payment processing doesn’t make businesses immune. Hackers can simply point users to a fake checkout form.

Traditional web application security solutions are no longer enough to completely secure modern web applications. While traditional security like a web application firewall (WAF) or security standards like CSP and SRI are still an integral part of any security stack, they simply aren’t able to  cover the entire traffic path or employ proactive defenses against browser-based vulnerabilities. Hacking groups, such as Magecart, are so sophisticated that one in five websites that detect and block an attack are compromised again within an average of 10.5 days.

How to protect your website against formjacking

The best way to prevent a formjacking attack by Magecart groups or other cybercriminals is to use an end-to-end web app security solution that is able to:

  • Offer third-party script and tag protection directly in the browser.
  • Proactively scan web applications for unexpected code.
  • Protect both the origin (either in the cloud or on-premises) and the edge using a cloud-based web application firewall (WAF).

Instart safeguards your website and your customers against formjacking and other attacks that exploit third-party vulnerabilities by blocking access to form fields that contain sensitive information. Instart Tag Control acts as a filter between JavaScript and any HTML forms, allowing developers to protect sensitive data fields without having to worry about code. With Tag Control, website and web application developers can create policies and configurations that specify which fields JavaScript tags can read data from — these policies are typically applied to credit card number fields, address fields or fields any field which contains sensitive information. 

While Instart can’t prevent an actual breach of third-party code, it will provide protection that prevents malicious code from accessing targeted fields — you can’t steal what you can’t see. Blocking access to form fields is the best way to prevent unauthorized data exfiltration. Instart’s coverage protects data across the entire traffic path, from your physical application to the cloud and extends beyond the edge into the browser where customers and attackers interact with your site.

Don’t take a chance on a reputation-ruining data breach. Take the first step to securing your websites and applications against formjacking and other common security threats that put your business at risk. Request a demo and learn more about how Instart can help.