Web applications are a common target for hackers – they’re exposed to the internet and often are designed to protect sensitive data or functionality. This is why practicing good application security is so critical for an organization’s web applications. As many organizations have learned, a single oversight in their website’s code can result in an embarrassing (and costly) data breach.
One attack vector that has been making headlines recently is formjacking. This attack turns a website’s data gathering capabilities to the hacker’s advantage, making it a common cause of data breaches.
What is Formjacking?
The use of web forms to collect personal and sensitive information is fairly common on the internet: web-based forms are used regularly to collect everything from credit and debit card data to customer information on a Contact Us page. By providing a structured way to collect user data, forms make it easier for organizations to automate their data collection and processing.
In formjacking attacks, hackers take advantage of this easy collection of personal information to steal users’ personal data. When a user hits the Submit button on a form, the webpage kicks off some series of operations. Typically, this involves checking the data entered into the form (i.e. verifying that the credit card number looks legitimate, etc.) and then sending the data off to the web server for processing. In a formjacking attack, a hacker modifies the flow of operations by injecting malicious Javascript into the page. This malicious Javascript won’t affect the web page’s normal operations, i.e. sending the data to the website owner; however, it ensures that another copy makes its way to the hacker’s computer as well.
Formjacking attacks provide hackers with an efficient method of collecting consumers’ personal data. If the hacker manages to inject malicious Javascript into a web form (and many methods exist for accomplishing this), then they don’t need to do anything to trick the user into handing over their personal data. The user will provide their data to a legitimate website and the hacker gets a copy.
The Formjacking Threat
Formjacking attacks have become a growing threat as hackers have taken advantage of this technique to collect consumer data en masse. In fact, 71% of the web-related data breaches in 2018 were tied to formjacking attacks. The focus on formjacking attacks by hackers in 2018 is likely due to the fact that these types of attacks allow them to steal large amounts of valuable data (i.e. credit card information) with little chance of detection.
One group that has been making a name for itself through formjacking attacks is the Magecart hacking group. This group of hackers has made headlines for its malicious scripts that steal credit card information provided to legitimate sites. Some of the major efforts by the group included the breach of British Airways, that caused the UK’s Information Commissioner’s Office (ICO) to levy a record-breaking GDPR fine, and an attack against at least 80 eCommerce sites that were using an outdated version of the Magento eCommerce platform that contained vulnerabilities allowing scripts to be injected into a webpage.
Formjacking attacks have become so prevalent due to the low barrier to entry and the wide range of methods that can be used to perform them. The malicious script needed for a formjacking attack is only a few lines of Javascript code. Since the code implements the same functionality as the legitimate site (sending payment card information off to a web server), an inexperienced hacker could likely base their code off of their target site.
Once the code is developed, the hacker needs a way to inject it into the target website. This can be accomplished by hacking the web server directly, exploiting cross-site scripting vulnerabilities, or even leveraging the existing digital advertising network. Since digital advertisers are accustomed to being paid to place advertisements containing scripts on legitimate webpages, the only challenge for a hacker is slipping their malicious code past the scanners.
Protecting Against Formjacking
Formjacking attacks have become a significant threat to organizations’ data security. At almost two-thirds of web-related data breaches, this attack vector has become a common way for hackers to slip past an organization’s security and steal their sensitive data. In order to be effective, hackers performing formjacking attacks need to be able to slip malicious script code into a legitimate web page. This code is needed to modify the actions taken when the user submits the code.
Defeating a formjacking attack comes down to denying the attacker the ability to insert and execute this code into a webpage without detection. This is why a Web Application Firewall (WAF) is such an important defensive tool for an organization. WAFs provide multiple benefits when fighting against formjacking attacks. First, they can help with detection and prevention of the initial script injection.
Many of these attacks take advantage of common web application vulnerabilities, like cross-site scripting. Exploitation of these vulnerabilities is one of the things that WAFs were designed to prevent.
More advanced WAFs can also provide other benefits to the defender. The presence of a formjacking script on a webpage may cause a significant change in the operation of the page when it starts loading the script injected by the attacker. State-of-the-art WAFs have the capability to detect and alert on or block this type of anomalous activity, stopping the attack before it starts.
short url:
