<img src="https://secure.leadforensics.com/69529.png" style="display:none;"> Apogee IT Services
Blog  |  FAQ
  • Apogee Aim Higher Website header
    What's going on in IT.

Formjacking Is The Newest Con

Posted on April 17, 2019

Cyberthieves’ dedication to fool users is a never-ending process. What is vogue today is history tomorrow. It leaves users scrambling to remain alert before their pertinent information falls into the wrong hands.

Formjacking is the newest con. It’s quickly becoming more popular than cryptojacking and ransomware and proving to be more detrimental. Formjacking focuses on stealing personally identifiable information (PII).

Online retailers are primary targets. Hackers inject malicious JavaScript code onto e-commerce websites. This allows cybercriminals to collect information from shoppers after it has been submitted. Names, credit-card numbers, home addresses, phone numbers and email addresses are a handful of data that is vulnerable to an attack.

This tactic’s popularity skyrocketed in 2018. Symantec reported that 4,818 unique websites were compromised monthly with formjacking code, and that it blocked nearly 3.7 million attacks in that same year. Data sold on a credit card profited as much as $45 in underground markets. The report also read that no more than 10 stolen credit cards could earn cybercriminals as much as $2.2 million per month.

British Airways and Ticketmaster UK were among large businesses that suffered formjacking attacks last year.

  • An attacker stole 380,000 credit cards from British Airways’ website and netted more than $17 million.
  • Ticketmaster officials said customer names, addresses, email addresses, phone numbers, payment details and login details might have been stolen. International consumers, who purchased tickets from Sept. 2017 to June 2018 might have been affected. North American customers were not at risk.

Magecart groups have been deemed responsible for these attacks, as well as others. Magecart’s malicious code was first discovered in 2014. Symantec credits the hacker group’s success because it’s nearly undetectable by consumers.

Small-business e-commerce might be more vulnerable. Limited funding for security puts websites at greater risk, but there are steps to better protecting PII. Tracesecurity.com recommends these actions:

  • Be aware of software supply-chain attacks. They are used by formjackers to infect websites and consumer-payment forms.
  • Software updates should be tested in small environments to detect suspicious behaviors.
  • Monitor system activity to identify unwanted patterns and block suspicious applications before damage occurs.
  • Use content-security feature Subresource Integrity (SRI). It validates assets served by a third party. This ensures assets have not been compromised for hostile purposes.
  • And software package producers must be able detect trouble in their updates and on websites before they reach e-commerce sites.

Online shoppers can reduce the risk of having their PII stolen by using strong passwords, using secure VPN connections when logged into public Wi-Fi, updating antivirus programs, avoiding phishing scams and updating operating systems.

The consequences that could result from suffering a formjacking attack are too great to ignore. Consumers trust e-commerce companies with which they do business will keep their PII protected, and common sense by users could avoid misery. Organizations or individuals not taking this seriously are put at risk of losing plenty.

These facts are true to form.

To discuss security strategy, email Security Analyst Frank Verdecchia at fverdecchia@apogeeits.com.

Tagged IT Security, Ransomware, Cryptojacking, Bitcoin, Formjacking, Con

11 keys to network security

Clients in the US & Canada


Learn More