Formjacking: The Invisible Pickpockets of the Digital Age

| January 18, 2024

Imagine filling out an online form, perhaps buying concert tickets or booking a hotel room. Everything seems normal, you click submit, and...bam! Your data, from credit card numbers to addresses, is taken by digital thieves operating behind the scenes. This form of theft is known as formjacking

Malicious actors can then use the stolen data in identity theft schemes, payment card fraud scams and account takeover attacks or sell it to other criminals. Stolen information can also be used to create fraudulent accounts to distribute malware.
The hacker’s code may be loaded through various methods, such as by exploiting a vulnerability in a business’s website, employing a phishing scam in which the cyber intruder gains access to a company’s checkout page, or compromising a third party’s app or JavaScript used by a business.

Like a Digital Pickpocket

Formjacking is a cyber crime where hackers inject malicious JavaScript often one that contains a payment form. Once the targeted page has been compromised, the added code allows the hacker to collect sensitive data, such as credit card numbers, addresses and phone numbers. This data is sent to the cyberattacker’s domain after unsuspecting users enter their information and click “submit” to complete a transaction. 

Formjacking attacks can have severe financial consequences, including lawsuits, fines, fees and penalties, as well as expenses related to remediation. Moreover, formjacking can damage a company’s reputation, as clients, vendors and other partners may lose their trust in the business due to cybersecurity incidents.
One major challenge in detecting it is the malicious code frequently changes, making it difficult for external scanners and firewalls to catch it. What’s more, there are no apparent signs of formjacking, and the intended transaction is not affected, making it difficult to identify and stop the scam. As a result, formjacking attacks can go unnoticed for a long time.

Fighting Back

While the threat is very real, there are ways to protect your information:

    • Cyber Hygiene: Keep software, patches, and extensions updated. Establish a content security policy and using firewalls and subresource integrity tags can also help prevent the injection of malicious data onto business websites and protect data. Additionally, complying with security standards and educating IT staff on the threats of formjacking are essential. 
    • Website Scrutiny: Regularly scan and audit your JavaScript behavior for suspicious activity. In addition, checking where a browser is sending data is also key in stopping formjacking attacks.
    • Utilize cyberdefense techniques: This includes obfuscating JavaScript, which can make code more difficult for cyber attackers to understand. Implementing network segmentation can also limit network exposures and malicious actors’ lateral movement capabilities. An intrusion detection and prevention system can also help monitor potential threats and identify cyber intruders.
    • Implement ongoing cybersecurity measures: Thoroughly testing websites before they are publicly launched, executing penetration testing to discover vulnerabilities, and monitoring the supply chain to ensure vendors whose code is being used follow cybersecurity best practices.

Remember: Formjacking is a real threat, but with awareness, proactive measures, and a little digital armor, we can keep our data safe and send these invisible pickpockets packing.