What is Formjacking and How to Protect Yourself From This Attack?

What is Formjacking and How to Protect Yourself From This Attack?
A. and I. Kruk/Shutterstock

What is Formjacking and How to Protect Yourself From This Attack?

S.E. Slack
December 6, 2019

Hackers are always on the hunt for your personal and financial details. Increasingly, they are zeroing in on the online forms that you use to log in to your favorite websites or make purchases via online shopping carts. Called formjacking, this type of attack secretly collects the information you enter.

This type of attack works so well because most people instinctively trust and fill out the information a website requests without a second thought. As you do, however, you potentially open the door to hackers who are quite happy to intercept your private information.

What is formjacking?

Formjacking is a cyberattack that secretly collects payment and other personal information that users willingly enter into a website’s form, either during login or checkout. Hackers then sell the information or use it to steal directly from the victim.

The problem is increasing worldwide. In 2018, formjackers compromised more than 4,800 websites every month for a total of more than 57,000 websites hacked that year, according to Symantec. They targeted popular websites such as Ticketmaster, British Airways, Target and VisionDirect, a division of Walgreens.

It’s not just the big, well-known sites that are targeted. Symantec says that small and medium-sized retailers are also routinely targeted, making formjacking a global threat that can strike any type of website that accepts payments.

How does formjacking work?

Formjacking primarily works by targeting the ecommerce platforms where you log in and complete purchases online. These platforms run the shopping carts you see when you purchase something on a website. Many websites tend to use the same popular third-party ecommerce platforms like Magento, Shopify or YoKart.

Anyone can use these platforms to sell their product or service on a website. For example, YoKart is used by vendors on Amazon, eBay and Etsy. Burger King uses Magento to run its online ordering service and Shopify works on Facebook to help individuals sell items both new and used. The code for these ecommerce platforms is not always private or securely encrypted, so it becomes an easy target for hackers.

Related: What is DNS spoofing

“Formjackers silently insert a tiny piece of malicious JavaScript code into a website’s existing code, which tricks the site into sending your payment information to the bad guys,” said Tim Fisher, general manager of Lifewire.com. “What’s most frightening about formjacking is that it targets perfectly legitimate websites, so information from potentially millions of people is exposed to hackers before the site owners or users ever figure out there’s a problem.”

The Magento ecommerce platform has been hit hardest. Two of the most famous Magento formjacking victims are British Airways and Newegg, whose recent breaches have been linked to the same group of hackers. In every case, the transactions properly completed with neither the victim nor the site owner aware that any problems had occurred. The hackers then used the information or sold it to other hackers. Eventually, victims discovered drained bank accounts or unapproved credit card charges on a statement.

Formjacking has been discovered on all types of web pages and sites, including health care sites and login pages. That indicates hackers are discovering new ways to both steal information and use it, some of which are not yet even known. Website owners are finding ways to protect their code more effectively, but small and medium-sized business sites often don’t have the sophisticated back-end tools needed to prevent formjacking attacks.

I think I’ve been formjacked: What do I do?

The reason formjacking works so well for hackers is because it is almost impossible to spot. Victims don’t know they have been hit until their financial accounts show suspicious activity or they read about a data breach involving a site they have used. It’s important, then, to continually monitor your bank accounts for unauthorized transactions and keep an eye on your credit report to ensure no new accounts are opened in your name without your knowledge.

Related: Identity theft check: Uncover if your data may have been compromised

If you believe you are a formjacking victim, the first thing to do is contact your bank and request help in blocking your accounts from hackers. It’s a good idea, too, to contact credit reporting agencies and place a freeze or fraud alert on your account to ensure that hackers can’t use your personal information to obtain additional credit in your name. You can also report the crime to the FBI’s Internet Crime Complaint Center.

“This type of hack is incredibly difficult to spot,” said Fisher, “but there are still things you can do to protect yourself. A browser-based script blocker extension can often spot the dangerous code, and there are some really good antivirus programs that can help you block this kind of attack, too.”

Fisher recommends using both options together to create a strong layer of protection as you shop online. “Look for an antivirus program that uses real-time scanning and offers automatic updates to help you stay on top of any new formjacking threats.”

Browser-based script blockers are browser extensions that hunt for unexpected code on the websites you visit. You can try ScriptSafe for Chrome and Opera, NoScript for Firefox, or JS Blocker for Safari; these are easy to add to your browser using the appropriate app store for your device.

If your information has indeed been stolen, you may also receive suspicious communications from hackers. They might attempt to call or text you, or even email you with official-looking attachments that request additional information. You can try to find out who is behind unknown calls and texts by using a reverse phone lookup tool and using an email search to help check the origins of any suspicious emails you receive.

Disclaimer: The above is solely intended for informational purposes and in no way constitutes legal advice or specific recommendations.