Hackers have form, and a new approach, writes Paolo Passeri, pictured, Cyber Intelligence Principal at the cloud security product company Netskope.
Formjacking hit the headlines recently as the latest modus operandi for malicious actors looking to source valuable personal data. Formjacking was behind the notorious Magecart attack, which claimed high profile victims including British Airways, Ticketmaster, Delta, Newegg, Topps.com and Sports Collectibles, so it is well worth becoming familiar with the threat and evaluating how exposed your business may be.
The ‘How?’
Formjacking exploits weak security in forms on websites (parts of the site where the user inputs any sort of information into specific data fields). Formjackers insert tiny lines of malicious JavaScript code into a website with the goal of skimming data. The code is designed to harvest any valuable information inputted into forms by users.
The ‘Why?’
The data obtained in recent formjacking hacks were sold (probably for great profit) on the Dark Web or elsewhere. If you imagine that a set of credit card details could sell for around US$45 via the illegal marketplace, you can easily see how malicious actors are able to make huge returns for their efforts.
Web forms are widely used to verify security checks, enable financial transactions and even just to harvest data for marketing purposes. Because of their prevalence, forms are familiar and feel safe to users. In fact, web forms are so common that most operating systems and browsers allow you to save highly sensitive data to be automatically filled into forms, and users are very comfortable taking advantage of these timesaving tools – trusting them with passwords and credit card details. We cannot blame users for trusting a reputable brand with payment information as part of an essential purchase process, transacted through a familiar form and accredited with additional familiar payment or security branding.
The ‘Where’
One of the reasons that formjacking is proving so popular is the large potential attack area. Common e-commerce and content management systems offer a wide range of extensions and customisable plug-ins that give hackers plenty of opportunities to embed the malicious code. To give an example for context, the Magento e-commerce platform offers dozens of extensions, with each serving as a potential attack surface for hackers. And to give an idea of the scale of these malicious campaigns and the potential reach of this form of attack, on average 50 e-commerce merchants using the Magento platform were hacked every day between November 2018 and February 2019, according to some estimates. Unfortunately, vendors are reluctant to share information about vulnerabilities with their customers due in part to a fear of a loss of reputation, and these are the consequences.
Formjacking is very different to phishing because it is not something that vigilant users can be expected to spot. Phishing leaves small clues – bogus URLs for example – but formjacking code exists within the authentic site, built into the official form code. Even worse, unlike phishing, the attack can happen even when connecting through a genuine mobile app, which is simply another channel to access the compromised site. This is in fact what happened in the case of the British Airways formjacking attack last year (which affected 380,000 customers).
Where next?
We are only at the start of what is likely to be a growing trend. Today’s consumers demand a fast and convenient customer experience and we are experiencing a boom in the development and use of mobile apps and chatbots. There’s a huge misconception among users, who generally believe that apps are secure walled environments. In reality, in most cases mobile apps are simply a front end for a web application and are consequently no more secure than standard web apps. As well as these attacks growing in number, we will also see them growing in complexity. We are starting to see formjacking attacks that include a second component, designed specifically to make the attack harder to identify, for instance cleaning the browser debugger console messages.
Generally, once threat actors have identified a new opportunistic attack vector, the next step is to target as many victims as possible. While the bulk of formjacking attacks so far have focused on e-commerce, they could soon move beyond into other types of data and forms. It’s worth remembering that this type of malware can target any type of data entered into a form via the web, including login information and employee details. As enterprises progress their digital transformation strategies, they are increasingly developing apps via infrastructure-as-a-service (IaaS). This makes them vulnerable to formjacking attacks which can prey on any type of web-based data collection.
The advice
The good news is there are things security teams can do to mitigate the chances of becoming a victim of formjacking attacks. Most obviously, be careful when using third party code or services for form functionality in web design. These add-ons or plug-ins are popular with web designers so make sure you are enforcing a security governance process that includes all third-party elements such as plug-ins and extensions. In addition to a robust governance process, make sure your organisation stays on top of patches across all software – including third party web functionality. Third parties may not want to go out of their way to publicise vulnerabilities in older versions of their software so this cannot be overlooked.
More strategically, if your organisation is at some stage of a digital transformation journey, it is necessary to carefully assess the risk exposure of SaaS and IaaS models, detecting and remediating misconfiguration and non-compliance, and adopting technologies able to detect breaches in the cloud. Most formjacking attacks involve cloud services in some stages of the kill chain (like reconnaissance and delivery), and only a cloud-native platform can effectively thwart cloud native threats, unlike traditional on-premise technologies that do not scale and cannot protect users when they access the services from outside the corporate perimeter.
