1. Sales & Marketing
  2. Finances
  3. Your Team
  4. Technology
  5. Social Media
  6. Security
Product and service reviews are conducted independently by our editorial team, but we sometimes make money when you click on links. Learn more.
Grow Your Business Security

What Is Formjacking, and How Can You Protect Your Business?

image for Surasak_Ch/Shutterstock
Surasak_Ch/Shutterstock

In 2018, security experts focused a lot of attention on ransomware and malware targeting IoT (internet of things) devices. In 2019, cybercriminals have turned to formjacking as their preferred attack method.

The actual process behind formjacking is a bit complex, but the important takeaway is that formjacking is the virtual form of credit card skimming. Instead of a skimmer being attached to a gas pump or ATM, the information is skimmed through the online form.

"Formjacking is a term we use to describe the use of malicious JavaScript code to steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites," says Symantec, which first reported this form of attack on its Threat Intelligence blog back in September.

"When a customer of an e-commerce site clicks 'submit' or its equivalent after entering their details into a website's payment form, malicious JavaScript code that has been injected there by the cybercriminals collects all entered information, such as payment card details and the user's name and address," Symantec explained. "This information is then sent to the attacker's servers. Attackers can then use this information to perform payment card fraud or sell these details to other criminals on the dark web."

Formjacking wasn't new when Symantec released the report. This is typical of cyberattacks, as many are around for a while before they make a big push, and that's what happened with formjacking. There was a sudden uptick in August 2018, Symantec found, and that uptick has become a major threat in 2019.

You may not be familiar with the term "formjacking," but you may have heard of the Magecart attacks on British Airways, Ticketmaster and Newegg, among other large companies. Magecart is the hacker group responsible for these high-profile formjacking attacks. So it is easy for small businesses to be lulled into thinking they have nothing to fear against a Magecart attack – those hackers go after the big guys, right?

In this case, as with most cyberattacks, the big companies get the attention, but the reality is that small businesses are a favorite formjacking target. That’s because formjacking uses a supply-chain approach. The attackers load the malicious code into small business websites, especially those that are suppliers for larger companies. Smaller businesses are less likely to have strong security defenses built into their e-commerce sites, making them an easy target. The attackers are then able to send malicious code through legitimate transactions, infecting the entire supply chain.

Symantec estimated that nearly 5,000 websites a month were victims of formjacking in the past year. [Looking for internet security or antivirus software for your business? Check out our best picks and reviews on business.com.]

Unfortunately, formjacking attacks are very difficult to detect. Consumers have no way of knowing if the site they are visiting has been compromised and that their personal and financial information is at risk. Businesses struggle to spot the malicious code because the attackers are very good at disguising it within legitimate code. But there are steps you can take to prevent formjacking of your e-commerce site.

The first step is to test any new code or updates before using them. Before you make the code live for customers, scan it to look for unusual codes or anything unfamiliar. (If you aren't building your own e-commerce site, make sure the developer takes this step before letting the site go live.) Monitor all system activity to make sure nothing is out of the ordinary.

Second, know what your vendors are doing on their end to ensure similar security measures. Since this is a supply-chain attack, all parts of the chain need to know where their vulnerabilities are and if one of the suppliers could be unwittingly sending along something malicious.

Third, there are tools available to automate scans and find unauthorized code in the website. Consider using Subresource Integrity (SRI) tags, which verify resources are safe and haven't been manipulated in any way. Firewalls and other security tools can help you find security risks in your website's traffic. Anyone can download script blockers to their browsers to block websites with JavaScript and other potentially dangerous code.

Hackers are all about following the money trail. They will use any method possible to steal as much information they can sell on the dark web. While formjacking mimics credit card skimming, the forms you fill out provide a lot of other personal information that can just as easily be stolen. Your customers are the ones who lose if you're compromised by a formjacking attack, so it is up to you to provide an e-commerce site that is safe and secure.

Sue Marquette Poremba

Sue Marquette Poremba is a freelance writer based in State College, Pennsylvania. She primarily covers cybersecurity and emerging technology, with an emphasis on how emerging technology and cybersecurity overlap.