arrow left facebook twitter linkedin medium menu play circle

Formjacking: Trendy term, or legitimate threat?

By Christopher Watkins April 23, 2019

Photo of Christopher Watkins

about Christopher Watkins
Christopher Watkins is Senior Creative Writer at DataVisor. He brings 10+ years of writing, editing, and strategy experience to his role. He was previously Senior Writer and Chief Words Officer at Udacity. He holds an MFA in Creative Writing from the University of Southern Maine.

If you follow the news about online fraud, you’ve probably seen the term cropping up with more frequency lately—formjacking. The topic has set off a significant amount of concerned chatter, with some commentators going so far as to declare 2019 “the year of formjacking.” While that may prove to be hyperbole, it may not. Recent studies suggest—as highlighted in a recent story from Toolbox—that formjacking has overtaken ransomware as a top threat.

If you’re someone who sits on the sidelines of the fraud landscape, you may have just dismissed the chatter as yet another instance of over-hyped and faddish language making the headline rounds. On the other hand, if it’s your business to detect and prevent fraud, you probably stood up and took a bit of notice. You may have even thought to yourself, “Formjacking? What is it, and should I be worried about it?”

What IS formjacking?

Defining formjacking is pretty straightforward. It’s a method fraudsters use to steal your banking details via an e-commerce site. Fraudsters insert malicious code into the site through server vulnerabilities or third-party vendors, and that code first poaches your data when you submit it to make your purchase, and then sends it back to the fraudster. Once they have your data, they can re-use it, or sell it. The process can be staggeringly lucrative, as reported in a recent article from MakeUseOf:

“One hacker used 22 lines of code to modify scripts running on the British Airways site. The attacker stole 380,000 credit card details, netting over £13 million in the process.”

22 lines of code. £13 million. You can see the appeal.

Ticketmaster is another recent high-profile victim. This should probably come as no surprise. As DataVisor recently reported, the airline and ticketing industries have a severe fraud problem.

In another recent DataVisor post focusing on credential stuffing, we shared details about the value of user data on the dark web:

  • Social Security number: $1
  • Driver’s license: $20
  • Online payment services login info (e.g., Paypal): $20-$200
  • Diplomas: $100-$400
  • Passports (US): $1000-$2000

The challenges posed by formjacking

You don’t know it’s happening until it’s too late
One of the critical challenges posed by the practice of formjacking is that the customer generally has no idea it’s happening, and there is virtually nothing a customer can do to protect themselves and their data. At least with credential stuffing, embracing password best practices can make a difference. Not so, formjacking. You don’t find out until after the damage has been done. This means that virtually all responsibility for preventing formjacking attacks goes to enterprise.

Encryption doesn’t address the threat
These attacks are also difficult to detect for e-commerce services, which are responsible for protecting sensitive user data both “at-rest” (e.g., stored in a database) as well as “in-transit” (e.g., traveling from the consumer to the service then to the database). Encryption, commonly used against eavesdropping, does not address the threat from malicious formjacking code that is embedded in the server processing the data.

It’s online, so it scales
Another challenge is the issue of scale. While both the basic idea and the end goal of formjacking is essentially the same as ATM “skimming”—the fraudulent procurement of banking details during a financial transaction through the insertion of a malicious mechanism —formjacking isn’t tethered to a physical location; it happens online. So the potential is there for massive-scale fraud. The scale is in fact pretty ominous already. As indicated by Symantec’s 2019 Internet Security Threat Report, formjacking compromised nearly 5000 unique websites a month in 2018—and it’s getting worse. In a Symantec article from September of 2018, they write that “Since August 13, we have blocked an average of 6,368 formjacking attempts every day.”

Shopping happens online, so crime happens online
Compounding this issue of scale is the simple fact that more people than ever shop online. A recent article from Digital Commerce 360 notes that “Global web sales neared $3 trillion in 2018, increasing online’s share of total retail sales to north of 15%.” Add to this the fact that retailers are predicted to lose fully upwards of 10% of revenue to card-not-present (CNP) fraud over the next five years, and you start to get a fuller sense of the severity of the problem.

In short, not only is the onus on industry to address the problem, it’s a big problem.

Can formjacking be stopped?

As is the case in virtually all instances of large-scale coordinated fraud attacks, proactivity and a holistic analysis approach are key. As Symantec writes in the article cited above:

“Behavior monitoring of all activity on a system can also help identify any unwanted patterns and allow you to block a suspicious application before any damage can be done.”

CISO Mag’s recent coverage of formjacking also points up what’s required to stay ahead of these kinds of attacks, noting that “Identifying and blocking these attacks requires the use of advanced detection methods like analytics and machine learning.”

Detection and prevention come down to a matter of meeting scale with scale. This is especially important to understand when one considers the bigger picture—what happens after the form gets “jacked.”

The bigger picture

Ultimately, formjacking itself isn’t the biggest issue—it’s what it makes possible. The theft of private financial data is deeply worrisome, and as we saw with British Airways and Ticketmaster, the damage can be significant—both financially and reputationally—for any business under attack. However, it’s when those stolen credentials get put to use by malicious fraud actors that the real trouble begins. The latest edition of the Digital Fraud Tracker from PYMNTS notes that account takeover (ATO) losses crested $5B in 2017, and that number is predicted to keep rising.

Meeting scale with scale

The rise in ATO losses is due in no small part to the increasing use of bots to power these attacks, which are coordinated and massive in scale. The matter is particularly pressing for financial services:

“DataVisor estimates that 50% to 80% of account takeover attacks on financial services are conducted via coordinated attacks.”

So, what begins with a seemingly simple “living off the land” (LotL) attack—a “skim” of financial data via a few lines of malicious code—ends up as massive, bot-powered fraud.

This is why we say it’s critical to meet scale with scale. Because seemingly small incidents can lead to very big problems, very quickly—particularly when bots are introduced into the equation. If you have the possibility of one bot attack, you have the potential of millions of bot attacks. This is also why we say proactivity is so critical. The sooner you stop the problem, the smaller the damage will be.


Popular Posts

Intelligent solutions. Informed decisions. Unrivaled results.

DataVisor Fraud Index Report: Q2 2019

Learn More

The DataVisor Q2 2019 Fraud Index Report is here.

Customers online want convenience, ease, and access. Fortunately, your business offers it all. Unfortunately, that’s what fraudsters want too. To a cyber criminal, those features means vulnerabilities. To bring you the very latest and most actionable insights about where the risks are and what you…

Dumb & Dumber vs Ocean’s 11

Learn More

Understand the range of modern fraud attacks to ensure complete coverage for your organization.

Complex and coordinated fraud attacks that are extensively planned, hard to detect, and highly scalable are the new normal for online platforms. Explore and understand the full spectrum of fraud attacks—from simple to sophisticated—and learn how you can defend against each type in this…

Diagnose and Defeat Application Fraud with the Latest AI-Powered Tools

Learn More

Learn how leading financial institutions are using ML to proactively detect card application fraud.

In this insightful webinar, you’ll explore how organizations are leveraging AI-powered fraud management solutions to get tangible, real-world benefits as they work to proactively detect and defeat sophisticated modern fraud attacks. Plus, you’ll discover strategies for empowering cross-team…


Protect your business, your customers, and your data.

Request Demo