What Is Formjacking?
Formjacking is one of the newest favorite ways for hackers to steal personal data. This is because it affects an average of 4,800 websites per month. It is according to security company Symantec’s annual Internet Security Threat Report.
Such attacks recently, with publicly reported attacks on the websites of companies including Ticketmaster, British Airways, Feedify, and Newegg by a group called Magecart being the most notable examples.
Every month, cyber criminals target thousands of retail websites. They insert a small piece of malicious code that allows them to snatch customers’ credit card information. The name of this hacking technique is “formjacking”. It’s the virtual equivalent of putting a device on an ATM to skim debit card numbers.
Small and medium-sized businesses are still the biggest targets of formjacking, according to Symantec. But in recent months, high profile brands including British Airways and Ticketmaster have also fallen victim to attacks. Symantec said it blocked more than 3.7 million formjacking attacks on websites in 2018, with one-third of those happening during the holiday shopping season.
Just How Bad Is Formjacking?
This type of technique has been used to hack several companies recently, including British Airways, Newegg, and Feedify. The number of formjacking attacks has more than doubled from August to September according to Symantec Security Researchers. This rampage of attacks is attributed to the Magecart Group, that has been operating since 2015. However, since finding this working formula, the group has been hitting what researchers think are more than 800 eCommerce sites. Magecart has gone so far as to design look-alike web domains masquerading as the real thing to trick users.
That is only one of many types of ways customers can get tricked this holiday season. Other top scams making the rounds according to the Federal Trade Commission are: Medicare, utility, Social Security, and vacation rental scams to name a few. Often times scams start with a phishing email designed to lure unsuspecting consumers to a fake domain to steal their credentials, passwords, accounts logins, and more. These emails give prompts to collect information that normally seem easy and painless, until the bill for a water motorbike you never bought comes in the mail!
How Does Formjacking Work?
What Types of Businesses Are These Attacks Targeting?
As we can see from the publicly reported attacks, Magecart is targeting large e-commerce businesses like Ticketmaster, British Airways, and Newegg.
To get an insight into the type of businesses that are being targeted by formjacking attacks, we examined 1,000 instances of formjacking blocked by Symantec over a three-day period from September 18 to 20.
Symantec data showed that from these 1,000 instances 57 individual websites were impacted. These websites were mostly online retail sites ranging from small niche sites to larger retail operations. Websites affected ranged from a fashion retailer in Australia, to a supplier of outdoor accessories in France, and a fitness retailer in Italy. Other retailers affected included a supplier of parts for cars and sites selling kitchen accessories and customized gifts.
While the compromise of larger organizations such as British Airways and Ticketmaster makes headlines, our data shows that any company, anywhere in the world, which processes payments online is a potential victim of formjacking.
Who Is Magecart?
Magecart is the attack group behind the recent formjacking attacks on British Airways, Ticketmaster, Feedify, and Newegg. Magecart has been active since at least 2015. The group injects web-based card skimmers onto websites to steal payment card data and other sensitive information from online payment forms.
The group used to primarily focus on hacking into Magneto online stores. But it appears to have changed tactics recently, and we now see it using formjacking and supply chain compromise to steal payment card data.
What Do Attackers Use to Conduct Formjacking?
- Nearly one in ten targeted attack groups now use malware to destroy and disrupt business operations; up 25 percent compared to 2017.
- Attackers enhance tried-and-tested tactics including spear-phishing, hijacking legitimate tools, and malicious email attachments.
- Enterprise ransomware infections increased by 12 percent.
- Cloud resources are increasingly easy targets for digital thieves with more than 70 million records stolen or leaked from poorly configured S3 public cloud storage buckets.
- More attackers display interest in compromising operational and industrial control systems with the potential for sabotage.
Vulnerabilities of Internet of Things
The volume of Internet of Things (IoT) attacks remains high and consistent with 2017 levels. Therefore, the profile of IoT attacks is changing dramatically. Almost every IoT device has been proven vulnerable. Everything from smart light bulbs to voice assistants creating additional entry points for attackers.
Targeted attack groups are increasingly focusing on IoT as a key entry point. “With an increasing trend towards the convergence of IT and industrial IoT, the next cyber battlefield is operational technology,” said Kevin Haley, director, Symantec Security Response. “A growing number of groups, such as Thrip and Triton, display interest in compromising operational systems and industrial control systems to potentially prepare for cyber warfare.”
How Do Attackers Compromise Websites?
There are many ways attackers can attempt to compromise websites. But in the Ticketmaster formjacking case the Magecart attackers used a supply chain attack. In this way they gain access to the website and change the code on its payment page.
Supply chain attacks can allow attackers to gain access to large companies by exploiting weaknesses in smaller businesses used by the larger company to provide different services. A supply chain attack distributed the famous Petya/NotPetya campaign, for example. Such attacks are particularly challenging because it doesn’t matter how good your business’ cyber security is if other businesses with access to your network can be exploited by attackers.
Third-party Companies Available on E-commerce Sites
Following the Ticketmaster breach it was revealed that Magecart was widely targeting third-party companies that are used on e-commerce sites to manage analytics, website support, and other services. The report at that time said at least 800 e-commerce sites had been hit in that campaign. The danger is that if Magecart can compromise one widely used third-party supplier, they could potentially infect thousands of sites in one go.
British Airways and Newegg
Magecart’s attack on British Airways—which the airline said impacted 380,000 passengers—was, along with Ticketmaster, its most high-profile attack so far. In the attacks on both British Airways and U.S. electronics retailer Newegg, the Magecart attackers took steps to avoid detection, including setting up spoofed web domains designed to look like those of the legitimate company. They even purchased paid SSL certificates from Comodo to make them look more like legitimate servers.
In the cases of both British Airways and Newegg the initial infection vector that allowed the attackers to gain access to the websites is unknown.
Victims may not realize they are victims of formjacking. The reason is that generally their websites continue to operate as normal. Moreover, attackers like Magecart are stealthy and take steps to avoid detection.
Symantec customers are protected from formjacking attacks.
Website owners should also be aware of the dangers of software supply chain attacks. Because, these have been used as the infection vector in some of these formjacking attacks. Software supply chain attacks can be difficult to guard against, but there are some steps that website owners can take:
- Test new updates, even seemingly legitimate ones, in small test environments or sandboxes first, to detect any suspicious behavior.
- Behavior monitoring of all activity on a system can also help identify any unwanted patterns. It can also allow you to block a suspicious application before any damage can be done.
Producers of software packages should ensure that they are able to detect unwanted changes in the software update process and on their website.
Website owners can also use content security policies with Subresource Integrity tags (SRI) to lock down any integrated third-party script.
Tricks to Give Scams the Slip
Consumers prepare to navigate the online shopping territory. Therefore, here are a few tips to help them stay away from fraud:
1. Personal information
Guard it with your life! Make sure are on a reputable website and check for the HTTPS and the green padlock on the browser. You should read and reread the website address and hit the X if anything unexpected appears.
2. Be careful about phishing
Professional fraudulent emails are many times, the first point of contact for scammers. Remember that most companies, especially banks, are never going to ask you for credentials by an email or phone message. If you receive a deal that looks too good to be true, it probably is phishing. It’s better to pick up the phone and call to confirm or ignore.
3. Confirmations of sales or services
If you receive word that you have purchased goods or services that you did not, you should take immediate action. Then contact your credit card company as well as the company that you bought good or service from. Ignoring these signs only gives the cybercriminal more time to do the damage and more cyber crimes.
If you have been tricked, there are organizations that can help. Like the police’s ActionFraud website, CIFAS, and the NCA. They can provide up to date and helpful information about next steps to take.