2017 was the year of ransomware. 2018 was all about cryptojacking. 2019 is shaping up as the year of formjacking.

Drastic decreases in the value of cryptocurrencies such as Bitcoin  mean cybercriminals are looking elsewhere for fraudulent profits.Also the move to EMV, or “chip,” security in payment cards has shifted criminals’ efforts away from card-present fraud–such as card skimming .They devised new method “FormJacking”.

What better place than to steal your banking information straight from the product order form, before you even hit submit. That’s right; they’re not breaking into your bank. Attackers are lifting your data before it even gets that far.

Formjacking attacks are “insidious and nasty, yet so simple,” according to SecurityMetrics CEO Brad Caldwell.This method involves inserting malicious code into the website of an e-commerce provider. The malicious code steals payment information such as card details, names, and other personal information commonly used while shopping online. The stolen data is sent to a server for reuse or sale, the victim unaware that their payment information is compromised.

How FormJacking infect

1.Attacker injects malicious script into targeted web page.
2. User loads web page and fills in form to make purchase.
3. When users submit the form to complete a purchase the form-data are sent to the merchant website.
4. A copy of the form-data, including payment card details, is also sent to the cyber attacker.

Formjacking attacks are simple and lucrative: cyber criminals load malicious code onto retailers’ websites to steal shoppers’ credit card details, with 4,800+ unique websites compromised on average every month. Both well-known (Ticketmaster and British Airways) and small-medium businesses were attacked, conservatively yielding tens of millions of dollars to bad actors last year.

Formjacking has no telltale signs. There is no way for a consumer to detect a this attack while it’s happening, and it’s very difficult for the merchant or payment processor to pick up on. Any provider that is “downstream” from the affected website can also be affected without the provider’s knowledge. 

Symantec reported that on average, 4,800 unique websites are compromised with formjacking code each month. This ongoing, lucrative effort by cybercriminals targets providers of all sizes. Recent research by RiskIQ reported that such attacks by the “Magecart” group are actually much more widespread than initially believed. 

One stolen credit card fetches up to $45 in underground selling forums. With more than 380,000 credit cards stolen, the British Airways attack alone may have netted criminals more than $17 million.

“Formjacking represents a serious threat for both businesses and consumers,” said Greg Clark, CEO, Symantec. “Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft.

For enterprises, the skyrocketing increase in formjacking reflects the growing risk of supply chain attacks, not to mention the reputational and liability risks businesses face when compromised.

A high-end antivirus software may provide some protection for the consumer, but the most commonly used tool to detect unwanted changes to your environment is file integrity monitoring (FIM). When FIM is deployed it will alert you when it observes changes to the files and/or folders you have set it to monitor.  

SecurityMetrics’ Webpage Integrity Monitoring (WIM) product is built on a patented technology able to find and mitigate malicious injected code on webpages. SecurityMetrics is currently conducting a pilot program with a select few corporations.