Do you think your website is secure? Maybe Formjacking shows you that it is not that much.
This hacking method isn’t new, but it has been severely exploited in the last years.
A 2018 study reported over 3,7 million formjacking attempts, where a third of the amount (⅓) happened during the summer season.
And a 2019 report from Symantec (Internet Security Firm) points out to 4,800 websites being attacked by Formjacking methods, every month.
So, before I keep going, I’ll tell you what Formjacking actually is, why it has been growing lately, and how to detect/prevent it right away.
What Exactly is Formjacking
Formjacking is an interception of an online form that you usually fill-in on an e-Commerce site.
We could say this is the online version of card skimming.
As you might suspect, the cybercriminals are later equipped with everything they need to commit fraud, identity theft, or directly steal the money out of your bank account.
The #1 Reason of Formjacking’s Growth
There are several reasons why I say Formjacking has been growing in the last years.
But basically, there is the main one behind its popularity: ease.
For hackers, getting the most valuable information out of their victims within one single method, that often goes unnoticed, it’s like a golden treasure.
An illegal/unethical one, for sure.
Just to put you into context… According to Experian, credit card numbers can be sold for about $5 (US) and Paypal’s login credentials for around $20 (US).
Generally speaking, 10 stolen credit cards could provide over $2 Million every month to cybercriminal’s pockets.
If e-commerce stores don’t risk storing this information in their own databases (you can see here why), then formjacking comes as the perfect way to overcome this security measure.
Experts also mention that the downgrading popularity of cryptocurrencies has attracted the spotlight once again to credit card schemes.
Victims of Formjacking (Real-life Examples)
The 2018 British Airways is among the biggest examples of formjacking to be known so far.
The malicious script was inserted through a third-party payment platform to the airline website. It went undetected completely undetected throughout a few months, affecting over 380,000 transactions.
The vicious team behind was named Magecart, which left up to $17 Million of loss.
They did the same to Ticketmaster and Newegg, other big e-commerce sites.
While this real-life example was rapidly shared on the news, the actual spotlight should be over the small and mid-size businesses, who suffer most of the consequences.
But trust me. You won’t be affected by it.
That’s why we’re here. And that’s why you’re reading this today.
How to Detect and Prevent Formjacking
While users might check for a Digital Certificate Protocol (as the HTTP lock) to verify everything is in order before making their purchase in any site…
You must know now that formjacking attacks pass over this and other security measures.
So, how is it possible to detect this before getting affected (or affecting your customers)?
The overall best solution is to prevent the blockage of this malicious code from getting injected in the first place. There are tools to identify every non-authorized code change, to block it as soon as possible.
But this is not enough. Considering the infiltration happens in most cases through third-party software (as it happened with British Airways, Ticketmaster, and Newegg).
For now, this is what you can do to increase the chances of not getting affected:
- Implement SRI tags: These cryptographic hashes guarantee that every file received online doesn’t hold any maliciously implemented script.
- Monitor Outgoing Traffic: If you start noticing that the data filled in the forms are transferred to a new address, then your web might be presenting formjacking issues.
- Protect your Supply Chain: Because “formjackers” take advantage of third-party apps and software, then make sure that you take an eye over every part of your system. A cybersecurity expert can help you to check any loopholes on the system.
- Scan Vulnerabilities: Scan every part of your site, and its code to make sure nothing has changed so far (take immediate action if it did).
Believe it or not, there’s a big portion of merchants that build up their store thinking they will be capable of handling everything on their own.
While I support the optimism, is it true to say that this hardly is the case.
To protect your clients, and your entire business from ever-evolving technological threats so much more is needed.
You have learned today about one of the hardest to detect.
But don’t forget to ask for the expert’s helping hand when things go out of yours.
What do you say… Let’s talk?