Formjacking: How to Prevent Hackers Hijacking Your Online Forms

In 2018 British Airways became one of the first high-profile victims of a relatively new cyber-attack that compromised 380,000 customer transactions. In the wake of the data breach, a cybersecurity firm discovered malicious code injected into the company’s website. The script was designed to steal financial data (names, email addresses, and credit card details, including the long number, expiry date, and three-digit CVV security code) from online payment forms, earning the technique the name formjacking.

What is formjacking?

Formjacking is a type of cyber-attack that takes place on the client-side in the front-end JavaScript code. It occurs when cybercriminals compromise a website's payment or data entry forms by injecting malicious code directly into them, hijacking their functionalities without altering their visible/apparent behavior.
 

This attack is designed to steal credit card details and other sensitive information inputted into payment forms that can be captured on online checkout pages. It's important to distinguish between formjacking and web skimming, which is a broader term. Skimming might use formjacking as a way to steal data, but not every skimming attack uses formjacking, and not every formjacking can be classified as skimming.

How does formjacking work?

Once the malicious script has been injected, it intercepts the input fields, typically targeting payment card information and other sensitive data entered by users, before sending it to the hacker’s server. This exploits users' trust in established, legitimate web applications, allowing a formjack to remain undetected for a prolonged period.

For instance, the malicious script injected into the British Airways website consisted of only 22 lines of code that grabbed data from the online payment form and sent it to the hackers' server once a customer hit the "submit" button.

A formjacking attack can be broken down into five steps:

1. Compromising the website or a third-party script: The hacker exploits a vulnerability related to the web application. This could be anything from the content management system (CMS) to a JavaScript supply chain attack via an open-source or third-party library.

2. Installing malicious script: With access gained, the hacker installs the malicious script into the web application, or they might add a reference to redirect back to where the script is hosted.

3. Obfuscating the script: Hackers regularly obfuscate malicious scripts, so they blend into the existing code, making it difficult to spot. 

4. Skimming the end user data: The hacker can now collect personal and financial data from user forms before exfiltrating it to their server.

5. Getting financial gain: With the attack successfully executed, the hacker can usually harness the compromised data for financial gain by selling it on the dark web, using it to conduct other attacks, or committing payment card fraud. 

Examples of formjacking attacks

The British Airways formjacking attack in 2018, which resulted in a fine of over £20 million, isn’t the only high-profile incident.

Ticketmaster (2018)

Attackers compromised Ticketmaster’s online payment pages by injecting malicious code via a third-party provider. This allowed them to steal the names, addresses, email addresses, phone numbers, payment details, and Ticketmaster login details of around 40,000 customers. Many victims had fraudulent transactions debited from their accounts on things like money transfer service Xendpay, as well as Uber and Netflix gift cards.
 

Claire’s (2020)

US-based jewelry and accessories retailer Claire’s shuttered its global physical presence on 20 March 2020 after the COVID-19 pandemic blindsided the high street. Within 24 hours, a malicious domain, claires-assets.com, had been registered by an anonymous actor. A sequence of malicious code was injected into Claire’s online store and that of its sister brand, Icing. After lying dormant for four weeks, the code became active, allowing the hacker to intercept customer information entered at checkout and redirect it to a fake server on the malicious domain.

Why is formjacking so difficult to detect?

Formjacking can be difficult to detect because it occurs on the user's browser (client-side). Traditional security tools like scanners try to identify known vulnerabilities, and have no visibility into how code, including client-side JavaScript, behaves on their browser. A vulnerability can remain undetected in your code because developers lack the visibility to detect it.

Hackers also use obfuscation techniques to frequently change the signatures and appearance of malicious scripts. By designing them to load dynamically, they evade detection by most external scanners. For instance, they might only load in a real client-side environment or remove themselves from memory when they detect code analysis taking place. This makes static scanning and traditional signature-based detection methods ineffective.

How to prevent formjacking

Regularly patch and update software, plugins, and extensions 

Most formjacking code is added to existing scripts on a website via vulnerabilities in the underlying software. Businesses using a third-party e-commerce platform like Magento or a content management system like WordPress must keep this software up to date, including any plugins and extensions.

Consistently applying security updates and patches prevents vulnerabilities before hackers can exploit them to gain access and inject malicious code that corrupts your forms. Rather than performing this manually, which is time-consuming and exposes the business to human error, automate the process for critical software, plugins, and extensions.
 

Conduct regular vulnerability scans and penetration testing

Perform regular security assessments, notably vulnerability scanning and penetration testing, to identify and address potential weaknesses in your website.

Vulnerability scanning is the process of evaluating a system or network to detect known security vulnerabilities. This proactive measure identifies any weaknesses that a hacker could exploit to gain unauthorized access to your website and inject malicious code.

Typical scans include:

• Automated web application scans: Identifies typical entry points for formjacking like Cross-Site Scripting (XSS), JavaScript injection, malicious script injection, and outdated dependencies.

• Third-party script audits: Regularly scans external JavaScript resources to identify vulnerabilities introduced by third-party scripts.

• Real-time monitoring: Continuously monitors changes to web scripts, alerting you in real time if unauthorized scripts are added to your forms or modified.

Penetration tests simulate real-world cyberattacks to identify potential weaknesses manually, complementing automated scanning. An ethical hacker works on behalf of your organization to uncover vulnerabilities like a criminal hacker would. Fundamental to this is the manual analysis of JavaScript, especially scripts on payment and checkout pages, to detect unauthorized or suspicious code. 

Use a secure connection

A secure HTTPS connection can help mitigate the risk of formjacking by encrypting the data transmitted between users and your server. It is a good practice that may make the hacker's job harder, preventing man-in-the-middle attacks and hiding data in transit. This extra layer of defense makes it significantly more difficult for attackers to intercept or alter sensitive information, like payment details, and maintain data integrity. HTTPS also ensures users communicate with your legitimate website, protecting against spoofed or malicious ones.  

Implement a Web Application Firewall (WAF)

A Web Application Firewall (WAF) actively monitors incoming web traffic, identifying and blocking suspicious activity, including unauthorized script injections, before they compromise the application. By introducing strict security policies, filtering harmful requests, and continuously analyzing traffic patterns, a regularly updated WAF can detect anomalies indicative of formjacking. However, it’s important to note that a WAF primarily protects against server-side threats. Formjacking is a client-side attack that happens inside the browser, meaning a WAF may not detect it unless it specifically monitors outgoing requests.

The Ultimate Protection: Adopting Client-Side Protection

Companies must guarantee protection on both their servers and the client side to mitigate the risk of threats and attacks. The Jscrambler Webpage Integrity product enables businesses to achieve fine-grained control over the behavior and data consumption of their third-party tags. It offers protection against data breaches, formjacking, web skimming attacks, and data exfiltration by blocking unauthorized behavior without slowing down your website. Our security-by-design approach ensures ongoing PCI DSS v4 compliance, transforming your third-party JavaScript into secure assets.

Moreover, with Jscrambler's Iframe Integrity payment iframes from Payment Service Providers and payment processors can be protected as well. Hardened with Jscrambler’s cutting-edge security, the iframe is continuously monitored and safeguarded against overlay, hijacking, and formjacking attacks targeting payment pages. Unlike traditional security solutions, Iframe Integrity is fully automated and completely transparent, requiring minimum maintenance from TPSPs and zero management from online merchants.

Protect Forms with Form Fencing
The granularity of Jscrambler's form-fencing feature allows companies to control exactly which scripts can read and access form data, keeping malicious actors from extracting sensitive information that users enter into forms.

Reduce Surface
Area Risk
Gain an extensive view of your client-side attack surface and prevent formjacking attacks via third parties with data leakage controls, real-time alerting, and policies.

Scale Performance Efficiently
Jscrambler is designed to effortlessly support the largest, most demanding websites without causing any slowdown or disruption to the online user experience.

Accelerate PCI DSS Compliance
Authorize scripts, detect malicious behaviors, and deliver assessment-ready reports to achieve PCI DSS compliance with requirements 6.4.3 and 11.6.1.

Conclusion

If your business’s website accepts online payments, don’t adopt a reactive approach to formjacking. Safeguard your user’s data against the inherent vulnerabilities in client-side JavaScript by taking proactive steps to prevent this notoriously difficult-to-detect attack from occurring in the first place – preserving their trust and maintaining your reputation.