Formjacking’s popularity grows as profits from ransomware and cryptojacking drop

Cyber security vendor Symantec says that ‘formjacking’ — which typically involves embedding malicious JavaScript in an online payment page — is becoming increasing prevalent.

The company today released the 24th edition of its Internet Security Threat Report (ISTR). According to Symantec, it detected more than 4800 websites infected with formjacking code during every month of 2018.

“Cyber criminals historically will always go towards the money,” Nick Savvides, CTO of Asia Pacific at Symantec, told Computerworld. Formjacking is the latest large-scale, commoditised attack to become popular, the CTO said.

In 2018, ransomware and so-called cryptojacking became less prevalent, according to the ISTR. According to Symantec, cryptojacking activity peaked between December 2017 and February 2018, although there is still significant activity despite the rollercoaster ride of the cryptocurrency market.

The ISTR also reveals that, for the first time since 2013, Symantec observed a decrease in ransomware activity in 2018, with endpoint infections dropping by a fifth.

Criminals “moved from banking trojans to ransomware then to cryptomining or cryptojacking on people’s computers, and now it’s moved towards formjacking,” Savvides said.

In the past obtaining payment card data could involve compromising a major site and obtaining a large amount of credit card numbers in one fell swoop — a portion of which may have been useable, the CTO said. Over time that has become more difficult, in part because of the use of technologies such as 3-D Secure.

Savvides said that formjacking is akin to ATM skimming for the online world and allows a criminal to obtain not just a credit card number and expiry date, but also the CVV number, which is not stored by merchants or payment gateways, as well as a range of personal details of a cardholder (such as their billing address).

JavaScript code can be injected into a page either because a site itself compromised or is vulnerable to a supply chain attack — for example an upstream supplier of a “Facebook widget” or something similar may be compromised, Savvides said.

“When a user goes to make a purchase — as you are submitting your information — a second copy of your payment card information is also being sent to the attacker, along with your name, billing address, shipping address,” he said.

“That’s very high quality, valuable data,” Savvides said.

The decline in profitability of ransomware and cryptojacking is helping drive formjacking’s popularity, but the “market economy that exists on the darkweb for trading this information” is also a key factor, the CTO said.

According to Symantec data from a single card can be worth up to US$45 on a Tor-concealed online marketplace.

Recent high-profile victims of the practice have included Ticketmaster and British Airways. In June 2018 Ticketmaster warned customers of a breach that it attributed to “malicious software” piggybacking on a third-party chatbot service running on its sites.

In September 2018, British Airways revealed that hundreds of thousands of its customers may be affected by a breach attributed to Magecart. Magecart, which is believed to comprise several groups, was also implicated in the Ticketmaster incident, as well as one involving retailer Newegg.

Symantec says in many cases, however, formjacking involves SMBs.

“Symantec’s telemetry shows that it is often small and medium sized retailers, selling goods ranging from clothing to gardening equipment to medical supplies, that have had formjacking code injected onto their websites,” the ISTR states.

“This is a global problem with the potential to affect any business that accepts payments from customers online.”