Could formjacking affect your organization?

Threat actors are always one step ahead, so after ransomware and cryptojacking, they have latched to a new, high-return attack: formjacking.

Incidents of formjacking attacks – where hackers inject malicious JavaScript code into a website to skim data – rose steadily in the second half of last year. These small lines of code are very hard to detect but very effective. While formjacking can scrape data from any element of web browsing, it’s mostly targeted at ecommerce sites. One researcher, Willem de Groot, estimates that at least 50 e-merchants a day were being hacked between November and February.  

Formjacking tools, like those used by the hacker collective, the Magecart group, are exceptionally flexible and can compromise hundreds of thousands of websites, often via extensions, making it a very profitable attack method for criminals.

What’s more, the Magecart group exploits new vulnerabilities very quickly. Worryingly, it seems that when organisations discover new vulnerabilities in their ecommerce software, they also find that these have already been exploited.

Many CISOs at large enterprises may be wondering, “What has this got to do with me?” In today’s cloud-based world, where one interaction can affect thousands of others, that attitude conjures up imagery of an ostrich with its head in the sand.

It’s true that formjacking is currently focused on e-commerce and the theft of credit card details, but as we’ve seen, the targets of cyber-attacks are continually evolving. It’s worth remembering that formjacking can target any type of data entered into a form, via the web, including log-in information and employee details.

At the same time, nearly nine in ten organisations are currently undertaking at least one cloud-based digital transformation project (IDC). As these enterprises progress their digital transformation strategies, they are increasingly developing apps via infrastructure-as-a-service (IaaS). This makes them vulnerable to formjacking attacks, which can prey on any type of web-based data collection. To me this isn’t just a red-flag, it’s another point of evidence to convince board-room colleagues that it’s time to embark upon a security transformation programme.  

It’s clear that forward-thinking CISOs need to have formjacking on their radar. Here are three simple steps you can take to help protect your organisation from these attacks:

• As a first step I recommend reviewing and strengthening your security governance process; so, it’s both proactive and reactive. Consistency is key here. It’s important you follow the same security procedures and guidelines for all plug-in modules and extensions ensuring strong levels of security are embedded in the development process for all web applications.  As well as keeping abreast of security bulletins and patches accordingly, it’s important to perform your own regular vulnerability assessments. It can be useful to pilot any new software updates in small test environments because this helps highlight unusual behaviour in the script.

• It’s important that businesses developing apps via cloud-based infrastructure ensure that they rethink their legacy security solutions.  Traditional security approaches do not cover the myriad attack surfaces of a cloud-enabled enterprise.  One approach is to consider a Cloud Access Security Broker (CASB). Businesses are increasingly turning to CASB to address cloud service risks, providing visibility, compliance, granular access control, threat protection, data leakage prevention, and encryption, even when cloud services are beyond their perimeter and out of their direct control.

• With current formjacking attacks, merchants are often blissfully unaware of the vulnerabilities in their installed extension base. They may have fantastic security governance and have patched everything while following all security guidance. However, if they haven’t been told by their vendor that there are newly discovered vulnerabilities, they may still be running vulnerable component and therefore be unprotected. This underlines the importance of your supplier relationship – something that is as salient to enterprise CISOs as it is to ecommerce merchants. It’s not enough to investigate the credibility of a supplier before using their software. You’re entering into a long-term working partnership with them and therefore, it’s vital to invest time making this a strong relationship based on mutual trust, where you can be open about potential vulnerabilities and work to address them together.

For more information on how to protect your business against formjacking, visit our solutions page