The February 2019 Symantec Internet Threat Security Report includes a startling statistic – 4,800 websites are compromised with formjacking code each month. If you have never heard of formjacking, you are not alone. It is the new kid on the block of cyber attacks. Let’s take a closer look at formjacking and why you need to be aware of this highly lucrative attack.
What is Formjacking?
Why is Formjacking on the Rise?
There are two basic reasons why formjackinng is growing in popularity
- It’s easy to use
- It’s very lucrative
There is a huge amount of money to be made with compromised payment methods. As reported by Symantec, “All it takes is 10 stolen credit cards per compromised website to result in a yield of up to $2.2M per month, as each card fetches up to $45 in underground selling forums.”
That is not a bad payday for not much work. Also, stolen personal information can be used for other nefarious money making purposes, such as virtual kidnapping attacks.
What are the Risks of Formjacking?
The risks associated with formjacking are the same as with any injection attack. They include
- Identity theft
- Identity spoofing
- Privilege escalation
- Access to unauthorized information or content
- Loss of reputation and/or business
How can you Prevent Formjacking?
You can provide some additional protection by using Subresource Integrity (SRI) tags to authenticate content via a cryptographic hash used by the web browser to verify that received resources have not been manipulated. You can learn more about SRI tags by visiting the dedicated W3C page.
You can also use your security appliances, such as a firewall, to monitor the outbound traffic from form-based web pages. Observe whether the traffic is going somewhere unexpected. If this pattern is observed, you can focus your code reviews on the impacted pages.
Formjacking attacks can also come through form-based functionality such as online surveys and chats. If you embed these types of functionality into your web site from third party providers, be sure to complete due diligence on the vendor and the software before installation. Test all updates before releasing them to production.
Formjacking is a type of injection attack, but not the only one. Injection is the #1 risk in the OWASP Top 10 – 2017. If you look at the history of the OWASP Top 10, you will see that a few of the risks have been around since the very beginning. One of these is injection, which has held the top spot on the list since 2010.
What Can You Do?
In our Secure Coding with the OWASP Top 10 – 2017 course, we cover 9 different types of injection flaws!
Learn more about how training your developers on mitigating and avoiding injection flaws can strengthen your organization’s security.