Retailers fall victim to formjacking attacks
Written by Hannah McGrath
Hackers are turning to increasingly sophisticated methods, including formjacking, to target e-commerce websites, according to a new report.
Cyber security firm Symantec collected data from its 123 million attacks sensors worldwide and found that the number of criminal groups using malware to destroy and disrupt digital businesses had risen by 25 per cent in 2018, compared to the previous year, while ransomware infections on companies’ enterprise software were up 12 per cent over the same period.
One marked trend the analysis found was the uptake of so-called formjacking, the method used in the hack attempts on British Airways and Ticketmaster last year.
Speaking to Retail Systems, Orla Cox, director of Symantec Security Response, explained that a malware script is injected into the code of a retailer’s website to monitor the data being entered as part of the checkout process and steal their payment card details.
“All of this happens in the background, without the customers or the retailers realizing it,” she said.
On average last year, Symantec’s data showed that more than 4,800 unique websites were being compromised with formjacking code every month.
The company’s software blocked more than 3.7 million formjacking attacks on individual machines in 2018, with nearly a third of all detections occurring during the busiest online shopping period of the year in the months of November and December.
Hackers are increasingly targeting third party tools and widgets installed on a retailer’s website, such as chatbots, Cox noted, as once the code is compromised on one site, it is easy to replicate the vulnerability on any site using the software.
She warned that this type of attack might be a “blind spot” for retailers, as they rely on third parties to manage the data and security features on apps and bots installed on their sites, meaning cyber criminals can slip through undetected.
Cox said that formjacking had become an increasingly popular technique because the online trade in payment and credit card details has become a lucrative business for criminals operating on the dark web.
She explained that it was possible for hackers to sell a complete data set, with name, address, credit card and account details for up to $45 each, meaning that if just 10 per cent of the 4,800 attempts to steal data were successful, a hacker could expect to make $2.2 million.
Looking ahead to the threat landscape for online retail, Cox said that it is likely that the trend for formjacking will be short term, as criminals “pile on it” before switching to another technique, as cyber security firms and software catch up with their methods.
“When things get a lot of attention, they know they only have a very limited time,” she said.
In order to guard against online fraud linked to formjacking and other retail-related fraud, Cox said: “Consumers should be monitoring their cards and account balances for any unexplained transactions, as they [cyber criminals] might try out smaller transactions as a test.”
She explained that online shoppers have now become wiser to the potential for hacking and ransomware attacks, and are less likely to pay up for the return of their data as their devices sync their information automatically to the cloud.
As a result, the total number of ransomware infections was down for the first time since 2013, registering a drop of 20 per cent, while the rate of enterprise ransomware bucked this trend with a jumped of 12 per cent.
“Enterprises are being individually targeted by ransomware attacks because they are targeting organisations that can’t afford to have downtime”, Cox explained.