DataVisor Threat Blog:
Formjacking: Trendy term, or legitimate threat?
The theft of private financial data via seemingly simple “living off the land” (LotL) attacks can lead to massive, bot-powered fraud.
If you follow the news about online fraud, you’ve probably seen the term cropping up with more frequency lately—formjacking. The topic has set off a significant amount of concerned chatter, with some commentators going so far as to declare 2019 “the year of formjacking.” While that may prove to be hyperbole, it may not. Recent studies suggest—as highlighted in a recent story from Toolbox—that formjacking has overtaken ransomware as a top threat.
If you’re someone who sits on the sidelines of the fraud landscape, you may have just dismissed the chatter as yet another instance of over-hyped and faddish language making the headline rounds. On the other hand, if it’s your business to detect and prevent fraud, you probably stood up and took a bit of notice. You may have even thought to yourself, “Formjacking? What is it, and should I be worried about it?”
What IS formjacking?
Defining formjacking is pretty straightforward. It’s a method fraudsters use to steal your banking details via an e-commerce site. Fraudsters insert malicious code into the site through server vulnerabilities or third-party vendors, and that code first poaches your data when you submit it to make your purchase, and then sends it back to the fraudster. Once they have your data, they can re-use it, or sell it. The process can be staggeringly lucrative, as reported in a recent article from MakeUseOf:
“One hacker used 22 lines of code to modify scripts running on the British Airways site. The attacker stole 380,000 credit card details, netting over £13 million in the process.”
22 lines of code. £13 million. You can see the appeal.
Ticketmaster is another recent high-profile victim. This should probably come as no surprise. As DataVisor recently reported, the airline and ticketing industries have a severe fraud problem.
In another recent DataVisor post focusing on credential stuffing, we shared details about the value of user data on the dark web:
- Social Security number: $1
- Driver’s license: $20
- Online payment services login info (e.g., Paypal): $20-$200
- Diplomas: $100-$400
- Passports (US): $1000-$2000
The challenges posed by formjacking
You don’t know it’s happening until it’s too late
One of the critical challenges posed by the practice of formjacking is that the customer generally has no idea it’s happening, and there is virtually nothing a customer can do to protect themselves and their data. At least with credential stuffing, embracing password best practices can make a difference. Not so, formjacking. You don’t find out until after the damage has been done. This means that virtually all responsibility for preventing formjacking attacks goes to enterprise.
Encryption doesn’t address the threat
These attacks are also difficult to detect for e-commerce services, which are responsible for protecting sensitive user data both “at-rest” (e.g., stored in a database) as well as “in-transit” (e.g., traveling from the consumer to the service then to the database). Encryption, commonly used against eavesdropping, does not address the threat from malicious formjacking code that is embedded in the server processing the data.
It’s online, so it scales
Another challenge is the issue of scale. While both the basic idea and the end goal of formjacking is essentially the same as ATM “skimming”—the fraudulent procurement of banking details during a financial transaction through the insertion of a malicious mechanism —formjacking isn’t tethered to a physical location; it happens online. So the potential is there for massive-scale fraud. The scale is in fact pretty ominous already. As indicated by Symantec’s 2019 Internet Security Threat Report, formjacking compromised nearly 5000 unique websites a month in 2018—and it’s getting worse. In a Symantec article from September of 2018, they write that “Since August 13, we have blocked an average of 6,368 formjacking attempts every day.”
Shopping happens online, so crime happens online
Compounding this issue of scale is the simple fact that more people than ever shop online. A recent article from Digital Commerce 360 notes that “Global web sales neared $3 trillion in 2018, increasing online’s share of total retail sales to north of 15%.” Add to this the fact that retailers are predicted to lose fully upwards of 10% of revenue to card-not-present (CNP) fraud over the next five years, and you start to get a fuller sense of the severity of the problem.
In short, not only is the onus on industry to address the problem, it’s a big problem.
Can formjacking be stopped?
As is the case in virtually all instances of large-scale coordinated fraud attacks, proactivity and a holistic analysis approach are key. As Symantec writes in the article cited above:
“Behavior monitoring of all activity on a system can also help identify any unwanted patterns and allow you to block a suspicious application before any damage can be done.”
CISO Mag’s recent coverage of formjacking also points up what’s required to stay ahead of these kinds of attacks, noting that “Identifying and blocking these attacks requires the use of advanced detection methods like analytics and machine learning.”
Detection and prevention come down to a matter of meeting scale with scale. This is especially important to understand when one considers the bigger picture—what happens after the form gets “jacked.”
The bigger picture
Ultimately, formjacking itself isn’t the biggest issue—it’s what it makes possible. The theft of private financial data is deeply worrisome, and as we saw with British Airways and Ticketmaster, the damage can be significant—both financially and reputationally—for any business under attack. However, it’s when those stolen credentials get put to use by malicious fraud actors that the real trouble begins. The latest edition of the Digital Fraud Tracker from PYMNTS notes that account takeover (ATO) losses crested $5B in 2017, and that number is predicted to keep rising.
Meeting scale with scale
The rise in ATO losses is due in no small part to the increasing use of bots to power these attacks, which are coordinated and massive in scale. The matter is particularly pressing for financial services:
“DataVisor estimates that 50% to 80% of account takeover attacks on financial services are conducted via coordinated attacks.”
So, what begins with a seemingly simple “living off the land” (LotL) attack—a “skim” of financial data via a few lines of malicious code—ends up as massive, bot-powered fraud.
This is why we say it’s critical to meet scale with scale. Because seemingly small incidents can lead to very big problems, very quickly—particularly when bots are introduced into the equation. If you have the possibility of one bot attack, you have the potential of millions of bot attacks. This is also why we say proactivity is so critical. The sooner you stop the problem, the smaller the damage will be.