In 2018, security experts focused a lot of attention on ransomware and malware targeting IoT (internet of things) devices. In 2019, cybercriminals have turned to formjacking as their preferred attack method.
The actual process behind formjacking is a bit complex, but the important takeaway is that formjacking is the virtual form of credit card skimming. Instead of a skimmer being attached to a gas pump or ATM, the information is skimmed through the online form.
Formjacking wasn't new when Symantec released the report. This is typical of cyberattacks, as many are around for a while before they make a big push, and that's what happened with formjacking. There was a sudden uptick in August 2018, Symantec found, and that uptick has become a major threat in 2019.
Small businesses targeted
You may not be familiar with the term "formjacking," but you may have heard of the Magecart attacks on British Airways, Ticketmaster and Newegg, among other large companies. Magecart is the hacker group responsible for these high-profile formjacking attacks. So it is easy for small businesses to be lulled into thinking they have nothing to fear against a Magecart attack – those hackers go after the big guys, right?
In this case, as with most cyberattacks, the big companies get the attention, but the reality is that small businesses are a favorite formjacking target. That’s because formjacking uses a supply-chain approach. The attackers load the malicious code into small business websites, especially those that are suppliers for larger companies. Smaller businesses are less likely to have strong security defenses built into their e-commerce sites, making them an easy target. The attackers are then able to send malicious code through legitimate transactions, infecting the entire supply chain.
Symantec estimated that nearly 5,000 websites a month were victims of formjacking in the past year. [Looking for internet security or antivirus software for your business? Check out our best picks and reviews on business.com.]
Preventing formjacking attacks
Unfortunately, formjacking attacks are very difficult to detect. Consumers have no way of knowing if the site they are visiting has been compromised and that their personal and financial information is at risk. Businesses struggle to spot the malicious code because the attackers are very good at disguising it within legitimate code. But there are steps you can take to prevent formjacking of your e-commerce site.
The first step is to test any new code or updates before using them. Before you make the code live for customers, scan it to look for unusual codes or anything unfamiliar. (If you aren't building your own e-commerce site, make sure the developer takes this step before letting the site go live.) Monitor all system activity to make sure nothing is out of the ordinary.
Second, know what your vendors are doing on their end to ensure similar security measures. Since this is a supply-chain attack, all parts of the chain need to know where their vulnerabilities are and if one of the suppliers could be unwittingly sending along something malicious.
Hackers are all about following the money trail. They will use any method possible to steal as much information they can sell on the dark web. While formjacking mimics credit card skimming, the forms you fill out provide a lot of other personal information that can just as easily be stolen. Your customers are the ones who lose if you're compromised by a formjacking attack, so it is up to you to provide an e-commerce site that is safe and secure.