Branded Dotted Block Graphic - Dynamic Networks Group
Branded Three Diagonal Stripes Graphic - Dynamic Networks Group
Branded Plus Grid Graphic - Dynamic Networks Group

Everything you need to know about Formjacking

Steve Sutcliffe
By Steve Sutcliffe
Formjacking.. It’s the get rich quick scheme cyber criminals love to use, so here’s everything else you need to know about this relatively new kind of cyber-attack…
Everything you need to know about Formjacking

What is it?

Formjacking is a relatively new method of stealing digital information. It uses malicious JavaScript code to steal valuable data like credit card information from payment forms on the checkout pages of e-commerce websites. It’s particularly problematic because the entire attack happens without any visible warning signs, so often the victim and even the website owners will have no idea anything has happened until it is far too late.
 

When did it start?

We first started hearing about formjacking attacks towards the end of 2018, thanks to a series of security updates from Symantec.
 

What websites are targeted for formjacking?

Interestingly enough, the websites that typically fall victim to formjacking attacks are generally very well established, reputable and trusted brands, often whom have spent millions of pounds on developing a sophisticated cyber security strategy. Why is this the case, well because the bigger the brand the greater the number of customers and the greater the number of customers the more data there is to be stolen. Hackers using formjacking will also look out for websites that are already using lots of third-party JavaScript code because this makes it easy to disguise the JavaScript code they need to implement, in order to make the formjacking happen.
 

Why are hackers using formjacking more and more?

Well the answer to this question is easy. Formjacking is simple to implement, hard to detect and very lucrative. To put that last point into perspective, Rapid Spike estimate that the data formjacked from the British Airways website could net hackers up to $19,000,000!  
 

What can you do to protect against formjacking attacks?

As there is no single (or simple!) answer to this question, we’re going with a bullet pointed list of what you can do to best protect your business, not just from formjacking attacks but from hackers in general. 
  • Invest in a fully patched server with no vulnerabilities. This is especially useful in protecting against formjacking because the JavaScript it relies on is stored on the server.
  • Keep a close eye on your data! If you notice large volumes of data leaving your website without warning, this could be one of the very few indications that something is afoot. The idea here is that thieves need to send the data they’ve stolen somewhere so they can ultimately sell it, so keeping an eye on where data from your website is going, could be the first clue you’ve been hacked.
  • Test any software updates in small test environments to try and detect any suspicious behaviour. This is worth doing because many of the formjacking attacks we know about used Supply Chain Attacks as the infection vector. You can read more about that here.
 

How serious is a formjacking attack?

In short, it’s serious. With the likes of regulations like GDPR and the hefty fines a breach of these regulations can carry, it’s very important that your website and the data it is responsible for is incredibly well protected. Falling victim to a formjacking attack due to poor security could land your business with a very big bill!
 

What should I do next?

If you’re concerned your ecommerce business or online shop could fall victim to a formjacking attack, then get in touch with our cyber security experts today and we’ll help you put the right security measures in place.
 

Dynamic Insights & advice