What is formjacking? Defend against infected forms

Anton P. | August 2, 2022

Formjacking is an attack when hackers contaminate web forms with malicious JavaScript code. If users fill out such tainted forms, perpetrators retrieve all submitted information. It can include bank details, passwords or credit card numbers. Criminals usually target websites featuring checkout pages, which they infect with scripts. So, e-commerce sites are the preferred targets for such attacks.

What is a formjacking attack?

Formjacking is a cyber attack aiming to snatch valuable personal information. Its operation involves compromising websites and their online payment forms. So, any website operating checkout pages is a possible target.

However, the formjacking hit list can consist of any type of service featuring forms. For instance, healthcare websites could use forms to book appointments. The chances are that such forms will also request highly confidential information, appealing to criminals.

So, formjacking is a universal threat, not limited to online retail stores. It can compromise any form page and leave little to no signs of the injected formjacking code.

If this attack strategy sounds familiar, it might be because of the notorious Magecart attack. In 2015, this campaign made headlines compromising forms in some of the biggest retail, travel, and ticket sales providers.

Unfortunately, Magecart continues to menace services, recently targeting supply chains. These attacks use formjacking to insert malicious codes and funnel valuable information.

How does formjacking work?

Formjacking can be a highly profitable business due to its stealthiness and undemanding execution. Experts note that the effectiveness of this attack is likely the most attractive to criminals. Let’s look into a formjacking attack from the users’ point of view:

  1. A user visits an online store and picks out items to buy.
  2. From the cart, the user gets redirected to a checkout page.
  3. The form, URL, and everything else seem safe.
  4. However, hackers have used cross-site scripting to inject malicious JavaScript code into the website. The script can contain as few as 22 lines.
  5. The malicious JavaScript code can be invisible and impossible to detect. Even if you inspect the website code, hackers can disguise it as regular scripts.
  6. The user fills all required fields and submits the form. This information can include names, addresses, phone numbers, credit card details, and more.
  7. The transaction goes without issues, and the online store starts processing your order.
  8. Unfortunately, the malicious JavaScript code sends all submitted details to the people behind the attack.
  9. There might be no signs of formjacking until you notice its consequences. The latter can refer to identity theft or unknown payments from your card.

But how do hackers infect forms?

A popular formjacking strategy is going after extensions and plugins used on online stores and content management systems (CMSs). So, most such hacking attempts are possible due to vulnerabilities in the underlying software. In other words, attackers could exploit, say, a specific WordPress plugin to compromise the website’s forms.

Therefore, website owners must update their CMS and e-commerce platforms like Magento. Some online tools can also help monitor site modifications or incoming and outgoing data.

Who is susceptible to formjacking?

It can be easy to assume that formjacking targets smaller businesses and websites. The assumption would be that such services do not have advanced site protections. Sadly, even highly-trusted websites have felt the rampage of these attacks.

In 2018, Magecart siphoned payment and personal information from over 380,000 users of British Airways. So, even larger companies with plenty of resources can suffer from formjacking.

How many websites does formjacking target?

The scope of formjacking can be challenging to estimate. However, reports showcase alarming numbers:

  • In 2019, Symantec reported that more than 4,800 websites had their forms targeted monthly.
  • In 2020, Symantec shared numbers on the attacks in Q1 2020, with 7,836 websites getting compromised.
  • Symantec also revealed which countries hackers target most frequently. These include the UK, Canada, the USA, France, Brazil, India, Thailand, and Australia.

How to detect formjacking and compromised forms?

Unfortunately, users have little means to recognize a formjacking attack before it is too late. It has no evident signs, unlike many other online attacks.

For instance, phishing or different scams have particular red flags like suspicious URLs or sloppy writing. However, formjacking code is sneaky, letting users fulfill their goals (like paying for items) while it steals submitted data.

So, sophisticated formjacking usually leaves no traces from the visitors’ point of view. Website owners are solely responsible for detecting and mitigating malicious JavaScript scripts.

Luckily, there are ways to shop safely and prevent data transfers to unknown sources:

  • Tech-savvy users can inspect website code via browsers’ tools. However, hackers know how to disguise their code as standard operations.
  • Users should prefer purchasing goods from well-known shops with quality protections and monitoring.
  • Buyers should operate credit cards with 3D Secure protection. It means transactions get confirmed only after users provide a unique code as confirmation.

What to do if you become a victim of formjacking?

Users might realize that formjacking has stolen their credit card details or other personal information only after noticing the damage. Here are some recommendations for dealing with unknown parties and their abuse of your data:

  • If you can guess the website with compromised forms, contact its owners. You can protect other buyers or visitors from suffering the same fate. Usually, web owners will need to patch vulnerabilities and update software.
  • You should cancel the bank card, which shows suspicious activities and transactions. Do this by contacting your bank.
  • Protect the data you revealed in form. For instance, Social Security Numbers could have been a required field. Luckily, you can freeze SSN until the issue gets resolved.
  • See whether your personal details and accounts are safe. It is possible that formjacking managed to get information on other accounts you own, like email addresses. Thus, monitor whether they or accounts associated with your email are safe. Atlas VPN can help you in this case. Our service includes a Data Breach Monitor, which scans the web to see if your email address is secure. This feature also sends automatic alerts if the account gets compromised.
Browse safely & anonymously with a VPN

Browse safely & anonymously with a VPN

Encrypt your internet traffic and defend against online snooping, hackers, governments, or ISPs.
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.

Tags:

phishingcredit cardspasswords

© 2022 Atlas VPN. All rights reserved.