Threat actors are always one step ahead, so after ransomware and cryptojacking, they have latched to a new, high-return attack: formjacking.
Incidents of formjacking attacks – where hackers inject malicious JavaScript code into a website to skim data – rose steadily in the second half of last year. These small lines of code are very hard to detect but very effective. While formjacking can scrape data from any element of web browsing, it’s mostly targeted at ecommerce sites. One researcher, Willem de Groot, estimates that at least 50 e-merchants a day were being hacked between November and February.
Formjacking tools, like those used by the hacker collective, the Magecart group, are exceptionally flexible and can compromise hundreds of thousands of websites, often via extensions, making it a very profitable attack method for criminals.
What’s more, the Magecart group exploits new vulnerabilities very quickly. Worryingly, it seems that when organisations discover new vulnerabilities in their ecommerce software, they also find that these have already been exploited.
Many CISOs at large enterprises may be wondering, “What has this got to do with me?” In today’s cloud-based world, where one interaction can affect thousands of others, that attitude conjures up imagery of an ostrich with its head in the sand.
It’s true that formjacking is currently focused on e-commerce and the theft of credit card details, but as we’ve seen, the targets of cyber-attacks are continually evolving. It’s worth remembering that formjacking can target any type of data entered into a form, via the web, including log-in information and employee details.
At the same time, nearly nine in ten organisations are currently undertaking at least one cloud-based digital transformation project (IDC). As these enterprises progress their digital transformation strategies, they are increasingly developing apps via infrastructure-as-a-service (IaaS). This makes them vulnerable to formjacking attacks, which can prey on any type of web-based data collection. To me this isn’t just a red-flag, it’s another point of evidence to convince board-room colleagues that it’s time to embark upon a security transformation programme.
It’s clear that forward-thinking CISOs need to have formjacking on their radar. Here are three simple steps you can take to help protect your organisation from these attacks:
- As a first step I recommend reviewing and strengthening your security governance process; so, it’s both proactive and reactive. Consistency is key here. It’s important you follow the same security procedures and guidelines for all plug-in modules and extensions ensuring strong levels of security are embedded in the development process for all web applications. As well as keeping abreast of security bulletins and patches accordingly, it’s important to perform your own regular vulnerability assessments. It can be useful to pilot any new software updates in small test environments because this helps highlight unusual behaviour in the script.
- It’s important that businesses developing apps via cloud-based infrastructure ensure that they rethink their legacy security solutions. Traditional security approaches do not cover the myriad attack surfaces