The Security Nightmare of Formjacking

Formjacking has hit the headlines recently, with malicious actors employing the technique to source valuable personal data. The concept of formjacking was behind the notorious Magecart attack, which claimed high profile victims including British Airways, Ticketmaster, Delta, Newegg and Sports Collectibles, so it is well worth becoming familiar with the threat and evaluating how exposed your business may be. 

Formjacking exploits weak security in forms on websites (parts of the site where the user inputs any sort of information into specific data fields). Formjackers insert tiny lines of malicious JavaScript code into a website with the goal of skimming data and this code is designed to harvest any valuable information inputted into forms by users.

So while it is tempting to pigeon-hole formjacking as targeting eCommerce, in reality the threat is pretty universal.

Web forms are widely used for a range of purposes; to identify users through security checks, enable financial transactions and even just to harvest data for marketing purposes. Because of their prevalence, forms are familiar and feel safe to users, but any effort made in exploiting their security weaknesses is likely to reap lucrative personal information. 

From the user’s perspective, web forms are so common that most operating systems and browsers allow you to save highly sensitive data to be automatically filled into forms. Understandably, given the length and complexity of credit card and password information, users are very comfortable taking advantage of these timesaving memory-aid tools - trusting them with highly sensitive data.

We cannot blame users for trusting a reputable brand with payment information as part of an essential purchase process, transacted through a familiar form and accredited with additional familiar payment or security branding.

Unlike phishing, formjacking is very difficult for a user to spot. Phishing leaves small clues – bogus URLs for example - but formjacking malicious code exists within the authentic site.

Even worse, unlike phishing, the attack can happen even when connecting through a genuine mobile app, which is simply another channel to access the compromised site. This is what happened in the case of the British Airways formjacking attack last year (which affected 380,000 customers).

One of the most popular formjacking strategies so far has been to target extensions and customizable plug-ins for common e-commerce and content management systems. In this way, the effort of a single hack can provide multiple target organizations. To give an idea of the scale of these malicious campaigns and the potential reach of this form of attack, on average 50 e-commerce merchants using the Magento ecommerce platform were hacked every day between November 2018 and February 2019, according to some estimates

We are only at the start of what is likely to be a growing trend. Today’s consumers demand a fast and convenient customer experience and we are experiencing a boom in the development and use of mobile apps and chatbots. There’s a huge misconception among users, who generally believe that apps are secure walled environments, rather than a window into the open web.

In reality, in most cases mobile apps are simply a front end for a web application and are consequently no more secure than standard web apps.

As well as these attacks growing in number, we will also see them growing in complexity. We are starting to see formjacking attacks that include a second component, designed specifically to make the attack harder to identify, for instance cleaning the browser debugger console messages. 

Enterprises progressing through digital transformation strategies are developing apps via infrastructure-as-a-service (IaaS), it is important to note that this makes them vulnerable to formjacking attacks which can prey on any type of web-based data collection.

Fortunately, there are some actions that can be taken by security teams to mitigate the threat of future formjacking attacks.

Web designers often use third party code or services for form functionality so start by enforcing a security governance process that includes all third-party elements such as plug-ins and extensions.

Make sure your organization stays on top of patches across all software – including third party web functionality. Third parties may not want to go out of their way to publicize vulnerabilities in older versions of their software so this cannot be overlooked.

If your organization is at some stage of a digital transformation journey, it is necessary to carefully assess the risk exposure of SaaS and IaaS models, detecting and remediating misconfiguration and non-compliance, and adopting technologies able to detect breaches in the cloud.

Most formjacking attacks involve cloud services in some stages of the kill chain (like reconnaissance and delivery), and only a cloud-native platform can effectively thwart cloud native threats, unlike traditional on-premise technologies that do not scale and cannot protect users when they access the services from outside the corporate perimeter.

What’s Hot on Infosecurity Magazine?