Paolo Passeri, Cyber Intelligence Principal at Netskope, comments on the growing problem of formjacking
Most e-commerce and content management systems offer extensions and customisable plug-ins that businesses can use to tailor standardised platforms to their needs and to those of their customers. While useful, third party extensions to websites, if unsecure, are vulnerable to a growing threat known as formjacking, through which malicious actors skim off credit card details and other data that they can sell on the dark web.
The code used to undertake formjacking is designed to keep a low profile, enabling it to avoid detection and steal data over a prolonged period without anyone knowing.
Ecommerce sites are often targeted because the data that can be collected has significant resale value – around $45 for a complete set of fresh credit card details.
As well as targeting individual organisations, malicious actors are generating substantial returns by going after extensions and plug-ins used by hundreds or thousands of different web pages.
Formjacking’s growing frequency and diversity highlight how threat actors are continuously upgrading their malicious code and deploying new delivery mechanisms to infect more users and make an attack harder to identify, for instance by cleaning browser debugger console messages.
The recent big spike in reported attacks suggests this vulnerability is not being effectively addressed by extension developers, too many of which do not regard security as a priority in the development cycle and are reluctant to share information about vulnerabilities or engage on the topic in any concerted manner.
Concern over formjacking is currently focused on e-commerce and the theft of credit card details, but it’s worth remembering that formjacking can target any type of data entered on a form via the web, including log-in information and employee details.
We know that nearly nine in ten organisations are currently undertaking some type of cloudbased digital transformation project (source: IDC) and, as they progress in their digital transformation strategies, they are increasingly developing apps via infrastructureas-a-service (IaaS). This makes them vulnerable to formjacking attacks, which can prey on any type of web-based data collection.
Formjacking is the latest proof that traditional on-premise security approaches do not cover the myriad attack surfaces of a cloud-enabled enterprise.
Paolo Passeri is Cyber Intelligence Principal at smart cloud security company Netskope.