Formjacking: the security nightmare CISOs need to know about

(Image credit: Image source: Shutterstock/Sergey Nivens)

Ransomware hit the headlines in 2017, cryptojacking became notorious in 2018, so it may come as no surprise that a sophisticated new form of attack is making its mark in 2019. Staying ahead of trends and the security game, malicious actors have latched onto another high-return attack. Their latest weapon of choice: formjacking.

The threat

So how does it work? Forms are in use in some manner in most websites – harvesting data for marketing purposes, identifying users through security checks and enabling financial transactions.  They are so common that most operating systems and browsers allow you to save highly sensitive data to be automatically filled into forms (for instance credit card details). Formjacking sees tiny lines of malicious JavaScript code injected into a website with the goal of skimming data. The code is designed to harvest any valuable information inputted into forms by users. 

Formjacking was behind the notorious Magecart attack, which claimed high profile victims including British Airways, Ticketmaster, Delta, Newegg and more recently Topps.com Sports Collectibles. The data obtained through this sort of hack can be sold at great profit on the Dark Web or elsewhere. If you imagine that a set of credit card details could sell for around US$45 via the illegal marketplace, you can easily see how malicious actors are able to make huge returns for their efforts.

I believe that one of the reasons that formjacking is proving so popular is the large potential attack area. Common e-commerce and content management systems offer a wide range of extensions and customisable plug-ins that give hackers the most opportunities to embed the malicious code. To give an example for context, the Magento e-commerce platform offers dozens of extensions, with each serving as a potential attack surface for hackers.

To give an idea of the scale of these malicious campaigns and the potential reach of this form of attack, on average 50 e-commerce merchants using the Magento platform were hacked every day between November 2018 and February 2019, according to some estimates. Unfortunately vendors are reluctant to share information about vulnerabilities with their customers due in part to a fear of a loss of reputation, and these are the consequences.

Users are in the habit of filling in web forms with some of their most private data; online banking passwords, cloud service passwords and personally identifiable information are all demanded as input in forms that users complete daily. As such, users have built up an impression of the web form (when accompanied by trustworthy brands such as their bank) as being an intrinsically safe interface. With a phishing attack, it is possible for vigilant users to spot inaccurate details (like a bogus URL), but with formjacking the threat exists within the authentic site, built into the official form code. Even worse, unlike phishing, the attack can happen even when connecting through a genuine mobile app, which is simply another channel to access the compromised site.

The likely evolution

Today’s consumers demand a fast and convenient customer experience. As a result, we’re experiencing a boom in the development and use of mobile apps and chatbots. In most cases these mobile apps are simply a front end for a web application. Consequently, they are no more secure than standard web apps and are starting to prove a popular attack vector for formjackers. For example, last year’s attack on British Airways that affected 380,000 customers was delivered via the BA mobile app. We are only at the start of what is likely to be a growing trend: a surge in formjacking attacks via mobile apps that expose a larger surface of attack, as users are provided with a false sense of security, believing that transactions happen inside a secure environment, the app, and not the open web.

Businesses must take responsibility for their mobile apps, whether these are consumer or business-facing, and should take care to make security a priority for every component of their value chain using a third party.

Just as much of a concern is the frequency and diversity of formjacking attacks, indicating that the threat actors are continually upgrading their malicious code and deploying new delivery mechanisms to infect more users and make the attack harder to identify, for instance cleaning the browser debugger console messages. 

Generally, once threat actors have identified a new opportunistic attack vector, the next step is to target as many victims as possible.  While the bulk of formjacking attacks so far have focused on e-commerce, they could soon move beyond into other types of data and forms. It’s worth remembering that this type of malware can target any type of data entered into a form via the web, including login information and employee details. As enterprises progress their digital transformation strategies, they are increasingly developing apps via infrastructure-as-a-service (IaaS). This makes them vulnerable to formjacking attacks which can prey on any type of web-based data collection.

The fix

Fortunately for CISOs there are some relatively simple actions they can take to mitigate the threat of future formjacking attacks.

My advice is to start by enforcing a security governance process that must necessarily include all third-party elements such as plug-ins and extensions. Another important aspect of security governance is in making sure the organisation stays on top of patches, another factor of critical importance when it comes to eliminating weak points.

If the organisation is at some stage of a digital transformation journey, it is necessary to carefully assess the risk exposure of SaaS and IaaS models detecting and remediating misconfiguration and non-compliance, and adopting technologies able to detect breaches in the cloud.  Most formjacking attacks involve cloud services in some stages of the kill chain (like reconnaissance and delivery), and only a cloud-native platform can effectively thwart cloud native threats, unlike traditional on-premise technologies that do not scale and cannot protect users when they access the services from outside the corporate perimeter.

Paolo Passeri, Cyber Intelligence Principal, Netskope
Image source: Shutterstock/Sergey Nivens