What is Formjacking?
Formjacking is a man-in-the-browser attack where criminals inject malicious JavaScript code into a webpage, typically on login or checkout pages. The goal of this type of attack is for criminals to capture information the site visitors enter so they can use the data to conduct malicious acts, such as account takeover, inject new forms or new questions into existing forms that prompt site visitors to provide confidential data, package and sell fresh data dumps on Dark Web forums, etc. This type of cybercrime attack, where transactional data is collected by a syndicate criminal organization, is known as a Magecart attack, digital skimming or formjacking.
Why is formjacking a cybersecurity risk, and not just a fraud risk?
Criminals are opportunistic. They are not just looking for vulnerabilities within your applications, they look for vulnerabilities in your organization, people, and processes. They know many organizations tackle application security and fraud prevention separately, operating in distinct silos. As a result, modern cybercrime operates in a grey area between security and fraud, and digital skimming is an attack that falls in that grey area.
Criminals know many organizations struggle to manage, track, and secure the volume, scope and scale of scripts now embedded into websites. These embedded scripts cause a ‘shadow API and JavaScript” situation. Criminals look to manipulate organizations that function in silos and have a large supply chain ecosystem with many different scripts embedded into their sites. They exploit the lack of visibility this siloed approach creates and take advantage of the situation by compromising and modifying scripts with the intent to harvest PII and payment card info.
This makes digital skimming a cybersecurity, fraud, and compliance risk. Organizations not only need visibility into the JavaScript on their site, they also need to know what the scripts are collecting to prevent violating data privacy regulations like GDPR and CCPA and maintain compliance with the new PCI DSS 4.0 requirement 6.4.3 and 11.
Why are online forms vulnerable to attack?
Online forms are vulnerable to attacks because of supply chain ecosystem risks. As organizations expand their third-party ecosystem and the number of scripts on their site, they introduce new potential points of vulnerability. Most organizations do not have centralized control and governance over script management. If a third-party script on your site has a vulnerability and you are not aware of it, you are unable to patch it – opening the door for an attacker or exploit.
In our F5 Labs research report we reported that 87% of web exploits were formjacking attacks utilizing Magecart and its variants. For most injection attacks, the goal was to place malicious skimmer scripts to harvest payment information. We also saw the diversity of malicious formjacking scripts grew 20x in 2021 with an increase in the variety of access, masquerading, and exfiltration techniques used. Also, we noticed a trend of repeat formjacking where many organizations were compromised by the same attack multiple times in succession, a strong indicator that criminals are manipulating poor processes and internal governance.
How do fraudsters perform formjacking attacks?
A digital skimming attack occurs when a criminal either injects one or many malicious script(s) or manipulates an existing script on a legitimate page or application to create a software supply chain man-in-the-browser attack. These attacks are difficult to detect since these scripts are updated frequently by third parties often without a process for your organization to perform security reviews.
There are many ways fraudsters inject malicious scripts: criminals target weak or stolen admin credentials, compromise the host of third-party JavaScript files, and exploit vulnerabilities in web apps to inject code on web servers to corrupt legitimate scripts already on the page. For example, criminals target sites like GitHub to take ownership of projects to inject their malware, which then hides dormant until an updated version of the project is published.
What are the best practices for detecting formjacking?
Most of these attacks go undetected due to the lack of ongoing inspection and monitoring of third-party software. The best practices to detect digital skimming are:
- Inventory audit: Start with creating an internal audit to inventory all legitimate scripts that are used, who owns and authorized them, what are they used for, and how they are maintained. Think of it as an SBOM (software bill of material) for your scripts. Be sure to include scripts added through tag managers.
- Governance and processes: create a governance structure for adding, monitoring, and maintaining future scripts to assure the integrity of each script and clearly document why the script is necessary.
- Least privilege access: remember many attacks are due to poor authentication and authorization controls – so consider least privilege access to scripts.
- Monitor, detect and alert: establish the ability to monitor, detect, and alert when a new script is added, or an existing script is modified. Many of the previously used detection techniques, such as Sub-Resource Integrity (SRI) to conduct integrity checks to ensure a script was not tampered with, and Content Security Policy (CSP) to limit the locations browsers can load a script from and send data to, still have some value but are no longer sufficient to protect today’s constantly changing web and mobile apps. A more modern approach to detecting digital skimming attacks should include the detection of third-party potential compromises by examining JavaScript code and malicious network traffic generated. It should also include signature-based Magecart detection to quickly identify these types of attacks since the same attack methods are frequently reused for new targets.
- Establish a rapid mitigation strategy: explore simple one-click mitigation strategies where you can quickly review script changes and alerts on an interactive dashboard with a tool that provides one-click mitigation to block network calls that exfiltrate data.
What can merchants do to minimize the risk of a successful formjacking attack?
To minimize risk, merchants need to first understand where all their properties are, and the scripts that are on those pages. You cannot secure your organization from an attack if you do not know what you are protecting. Merchants should minimize the number of scripts on all pages, most importantly their payment and checkout pages. Digital skimming has become such a large issue that the new PCI v 4.0 guidance recommends that organizations only include “required” scripts on the pages that collect PII and payment information.
Merchants should leverage this new PCI guidance coupled with new free tools industry stakeholders have stepped up to offer, such as Target’s Merry Maker, a free open-source tool, and F5’s free self-service formjacking mitigation tool called Client-Side Defense that allows organizations to quickly block attacks with one-simple click. (Free up to 1 million transactions per month.)
What should merchants do if they realize they are a victim of a formjacking attack?
If a merchant is a victim of a digital skimming attack, they should immediately implement the incident response plan they already have in place. Ideally, the plan is aligned with the NIST Cybersecurity framework, and includes actions such as:
- Secure operations to quickly protect systems and fix vulnerabilities
- Mobilize the breach response team to prevent additional data loss
- Identify what data was compromised and what compliance regulations it falls under
- Communicate to customers that may have been impacted
- Conduct post incident assessment
Can you define the concept of a ‘supply chain ecosystem’ and provide an example?
Today’s software supply chain ecosystems are a complex network of applications, APIs (Application Programming Interfaces), people, processes, and tools that interact across the organization and digital properties.
The concept of a software supply chain ecosystem could be equated to a matryoshka doll where there are scripts embedded in scripts. This is the reason why the Log4j attack was so pervasive. Many organizations didn’t even know they had Log4j in their environments.
Software supply chain ecosystems almost always involve third-party code running on merchants’ sites – creating security and fraud risks for merchants and their customers. For example, on the checkout page there could be several scripts from different parties that connect to the numerous payment processors.
Where should merchants be looking for vulnerabilities in their supply chain ecosystem?
Supply chains simply do not work unless you have resiliency, and to have resiliency you need to understand the potential points of vulnerability. In supply chain management there is a concept called the Triple A Supply Chain–agility, adaptability, and alignment. Resilient supply chains must address the 3 A’s in order to easily adapt to disasters, disruptions, and fluctuating needs. However, the Triple A Supply Chain should also align with the “CIA triad” used in cybersecurity – confidentiality, integrity, and availability – to establish a truly effective defensive approach.
Merchants should be looking for vulnerabilities across their supply chain, this includes their people, processes, and technology, and must understand the potential areas of compromise each pose.
- People – do you have the right level of access controls? Have your people been properly trained?
- Process – do you have clearly documented processes for certifying, engaging, and monitoring third-party scripts?
- Technology – do you have tools to inspect and detect when your site is being compromised?
What is the number one thing merchants can do to protect their supply chain ecosystem and prevent formjacking?
The number one thing merchants can do to protect their supply chain ecosystem is to conduct a security strategy assessment. It should include assessing risk and compliance, and evaluating existing security governance—including data privacy, third-party risk, and IT regulatory compliance needs and gaps mapped against business challenges, requirements, and objectives.
Some frameworks organizations could explore are the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). Both provide a straightforward overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks https://www.cisa.gov/publication/software-supply-chain-attacks along with a tool kit they can use https://www.cisa.gov/ict-supply-chain-toolkit.
This article was contributed by Angel Grant, Vice President of Security at F5