Web applications are a common target for hackers – they’re exposed to the internet and often are designed to protect sensitive data or functionality. This is why practicing good application security is so critical for an organization’s web applications. As many organizations have learned, a single oversight in their website’s code can result in an embarrassing (and costly) data breach.
One attack vector that has been making headlines recently is formjacking. This attack turns a website’s data gathering capabilities to the hacker’s advantage, making it a common cause of data breaches.
What is Formjacking?
The use of web forms to collect personal and sensitive information is fairly common on the internet: web-based forms are used regularly to collect everything from credit and debit card data to customer information on a Contact Us page. By providing a structured way to collect user data, forms make it easier for organizations to automate their data collection and processing.
The Formjacking Threat
Formjacking attacks have become a growing threat as hackers have taken advantage of this technique to collect consumer data en masse. In fact, 71% of the web-related data breaches in 2018 were tied to formjacking attacks. The focus on formjacking attacks by hackers in 2018 is likely due to the fact that these types of attacks allow them to steal large amounts of valuable data (i.e. credit card information) with little chance of detection.
One group that has been making a name for itself through formjacking attacks is the Magecart hacking group. This group of hackers has made headlines for its malicious scripts that steal credit card information provided to legitimate sites. Some of the major efforts by the group included the breach of British Airways, that caused the UK’s Information Commissioner’s Office (ICO) to levy a record-breaking GDPR fine, and an attack against at least 80 eCommerce sites that were using an outdated version of the Magento eCommerce platform that contained vulnerabilities allowing scripts to be injected into a webpage.
Once the code is developed, the hacker needs a way to inject it into the target website. This can be accomplished by hacking the web server directly, exploiting cross-site scripting vulnerabilities, or even leveraging the existing digital advertising network. Since digital advertisers are accustomed to being paid to place advertisements containing scripts on legitimate webpages, the only challenge for a hacker is slipping their malicious code past the scanners.
Protecting Against Formjacking
Formjacking attacks have become a significant threat to organizations’ data security. At almost two-thirds of web-related data breaches, this attack vector has become a common way for hackers to slip past an organization’s security and steal their sensitive data. In order to be effective, hackers performing formjacking attacks need to be able to slip malicious script code into a legitimate web page. This code is needed to modify the actions taken when the user submits the code.
Defeating a formjacking attack comes down to denying the attacker the ability to insert and execute this code into a webpage without detection. This is why a Web Application Firewall (WAF) is such an important defensive tool for an organization. WAFs provide multiple benefits when fighting against formjacking attacks. First, they can help with detection and prevention of the initial script injection.
Many of these attacks take advantage of common web application vulnerabilities, like cross-site scripting. Exploitation of these vulnerabilities is one of the things that WAFs were designed to prevent.
More advanced WAFs can also provide other benefits to the defender. The presence of a formjacking script on a webpage may cause a significant change in the operation of the page when it starts loading the script injected by the attacker. State-of-the-art WAFs have the capability to detect and alert on or block this type of anomalous activity, stopping the attack before it starts.