Formjacking – A New Online Payment Scam

Beware online shoppers, retailers and e-commerce businesses! There is a new online payment scam threat that’s worrying the cybersecurity community. With the festive season around the corner, it’s the time for exchanging gifts and shopping online at various e-commerce sites to avail discounts and offers. This is also a perfect time for the cyber hackers to steal personal identification information to use them for other frauds.

Formjacking is the new term that’s used to describe this threat. It’s like heaven for hackers as they steal credit and debit card details of shoppers as they fill out the payment forms of e-commerce sites.

Formjacking is not a new scam technique, but its dramatically increased in the last few months. Symantec has reportedly stopped a quarter of million attempted attacks through Formjacking since mid-August. Big companies like British Airways and Feedify have been publicly reported to be attacked by the malicious group called Magecart, has brought it to the attention of the organizations.

How does Formjacking work?

Usually the hackers create a webpage that is an identical version of the legitimate webpage, fooling the user into believing they are entering their details in the correct website. Fraudsters typically inject JavaScript code into the checkout form webpages of the websites to steal the information. Once the user enters their information like credit card number, address and other personal details, the code/script comes into play.

The code transmits the entered information to the attacker’s server, where they can use it to carry out fraudulent transactions. The users are ignorant of this fraud until they are presented with an invoice for a transaction that they have never made.

Protect yourselves from Formjacking

The question now is how to protect yourselves or your company from being a victim? Phishing and click bait techniques using emails to lure the users to a fake domain is the common practice of the fraudsters. These emails collect credentials, account passwords and much more.

  • Webmasters should audit and test website source code regularly. Monitoring web behavior to detect any unwanted patterns will signal a suspicious activity. Remedial actions can be performed to prevent further damages.
  • Install latest threat detection and prevention software to protect against viruses and malware.
  • Incorporate best cyber security practices and training to employees regarding internet and email usage.
  • Secure your personal information by regularly changing passwords, using only legitimate websites (check for https and green secure padlock on the browsers).

Configure your systems to update automatically as companies deploy latest bug fixes and system updates in their new version releases. Outdated software will make your system easier to hack.

Being vigilant and by taking necessary actions you can protect your personal information, computers and networks. Cyber hacking will only get more sophisticated and advanced. All we can do is be prepared and curtail your chances of getting hacked.

– Shantha Kumari,
Sr. Technical Writer,
Infoholic Research