“This is a very easy and very effective way to steal credit card information,” says Kevin Haley, director of product management for Symantec Security Response. “It is the virtual world equivalent of the skimmers that get put on ATMs or gas pumps, and you don’t have to leave the comfort of your own home — you just hop on a website.”
The number of formjacking attacks took a big leap in 2018, with more than 4,800 websites compromised every month, according to Symantec’s Internet Security Threat Report, published in February. May alone saw 556,000 attempts, which the report called “an anomalous spike in activity.”
In all, Symantec blocked 3.7 million attempts at formjacking last year, with at least 1 million of those happening in the last two months of the year — holiday shopping season.
“With data from a single credit card being sold for up to $45 on underground markets, just 10 credit cards stolen from compromised websites could result in a yield of up to $2.2 million for cyber criminals each month. The appeal of formjacking for cyber criminals is clear,” states the report.
Formjacking Replaces Cryptojacking as a Popular Hack
The attacks may also be increasing because cryptojacking — the illicit running of cyber coin miners on a device without the owner’s permission — is becoming less popular as the value of cryptocurrency falls, Haley says. In addition, formjacking provides far more information than other forms of credit card theft.
“When you put the credit card in at a gas station pump, it’s just reading what’s on the strip. It’s not asking for the CVV number, that little security number,” he says. “But every purchase you make online, it wants that little security number. So you’re getting additional information when you steal it that way.”
Formjackers usually enter a site through third-party tools. For example, one major company was breached in early 2018 by malicious code inserted into its support chat tool. Another was similarly attacked later that year, but did not reveal exactly how the hackers gained entry.
Symantec’s report found, however, that small and medium-sized retailers “selling goods ranging from clothing to gardening equipment to medical supplies” were actually the most frequent targets of formjackers.
“There are just more small and medium-sized businesses, and their defenses tend not to be as good as a large company’s,” says Haley. “You may not be able to steal as many credit cards in a day, but you are going to be on there a lot longer, because [small and medium companies] are less likely to catch on to what’s going on.”
Make Sure the Supply Chain Is Protected
Good security software provides the best protection, Haley says, but it’s not perfect — especially because many formjackers get into a system through third-party suppliers. “You need to test the updates you’re getting from your suppliers,” he adds. “You should use some kind of content security and be scanning and looking for malicious code on a regular basis.”
The damage to a company’s reputation is as serious as the intrusion into its system, he says. “As the end user, your credit card information is now stolen. The retailer, that’s where the credit cards are being stolen from.
“In the end, it’s going to be your customers blaming you for it, and it’s going to be your name in the newspaper about how credit cards got stolen. The repercussions are the same as a standard breach — it’s just a different way to get the information.”