Formjacking – It’s on the Rise

Almost everything we do now is online; banking, socialising and even business. Whilst this makes our lives easier, it’s a nightmare for security because humans are creatures of habit. Despite advice not to, we’re still using the same password, still saving credentials and still accessing unsecure sites. This means we are leaving ourselves open to hackers and cyber criminals who now have plenty of opportunity to execute cyber security attacks like Formjacking.

And because new attacks pop up every day, trying to protect yourself from the latest cyber security threats is harder than ever before. Thankfully, we have a team of cyber security experts to do all the hard work for you. They work hard behind the scenes researching new and upcoming threats, discovering ways you can avoid being hit.

Formjacking – The Latest Cyber Threat

It’s sounds a bit primitive, but it’s actually quite advanced. Hackers inject malicious JavaScript code into a webpage form, most often a payment page form. Then, when you enter your details, your information is then sent on to the cyber-criminal.

Essentially, Formjacking is software that does in the virtual world what card skimmers do in the real world. Just as a skimmer steals personal data from your physical payment card at a cashpoint, a site infected with Formjacking code captures your data as you submit it to an online order form and transmits it to the criminals.

Why? Well the drastic devaluation of crypto-currencies such as Bitcoin has left cyber-criminals looking for other ways to make fraudulent profits. What better place than to steal your banking information straight from the product order form?

Since last August, it is estimated that there have been over 3.7 million Formjacking attempts. With around 4,800 unique websites infected each month. The occurrence of this type of cyber threat spikes around heavy online shopping dates such as Black Friday and over the Christmas shopping period. And it’s showing no signs of slowing.

How Can You Tell if You’re a Formjacking Victim?

When the code on a webpage is compromised, you don’t have typical hints such as a spoofed URL or non-secure WiFi connection to alert you that something is wrong. It can take many hours of manual research and work to discover and remove malicious code.

“From a consumer standpoint, there’s nothing to see,” said Kevin Haley, Director of Product Management for Security Response at Symantec. And this is exactly what makes Formjacking particularly dangerous. There’s almost no way to spot it.

The payment proceeds as normal and the only way a customer will know they’ve been attacked, is when charges show up on their bank statement. And by then, it’s too late.


Who Are They Targeting?

Any company that takes payment over the internet is likely to be a target. But generally, small and medium businesses are more likely to be affected. That’s because these smaller organisations are less likely to have the more sophisticated protection that larger sites have. This makes it easier to plant malware and for it to remain undetected on the organisation’s systems for longer.

Organisations that work with large companies are particularly vulnerable, as crooks can use them to conduct supply chain attacks. This involves exploiting a vulnerability in a system that’s used to provide services to a third party.

This is how criminals have used Formjacking attacks to target high-profile, e-commerce businesses like Ticketmaster and British Airways. Here, they’re banking on the sheer volume of details passing through these websites each day. And smaller third party websites have become the back door access.

One hacker modified the scripts running on the British Airways site recently managing to steal over 380,000 credit card details. Each card can fetch up to £45 in underground selling forums, meaning that one attack alone brought in a whopping £17 million pounds for the criminals. So it’s easy to see why it’s become so lucrative.

Formjacking Impact on Businesses

Formjacking is generally a subtle attack so it can be easy to think that it doesn’t affect businesses financially. Think again. There are a number of other ways that Formjacking can affect a business that will ultimately have a financial impact. These are:


Your brand interacts with everything. It can take decades to build a good reputation but just a moment to shatter it. This can even impact your suppliers, or affect relationships you may have with partners, investors and other third parties vested in your business.


Trust is an essential element of customer relationship. Formjacking can damage your business by eroding the trust your customers have for you. They gave you their details and you were unable to protect them. That leads them to question their custom with you altogether.

Decline in sales

With a lack of faith in the security of the affected business, customers will be more inclined to venture elsewhere, resulting in a loss of sales and profits. Plus, if your brand is tarnished, you’ll find it really hard to drive and attract new business, resulting in stagnation.

How Can You Protect Your Business?

Victims may not realise they are victims of Formjacking as generally their websites continue to operate as normal. Plus, attackers are sophisticated, taking steps to avoid detection. Businesses must counteract this by staying vigilant and watching for signs your website could have been compromised.

1. Scan Your Websites Often

Check your website thoroughly for any malicious code, ensuring notifications are on to alert you of any changes. Hackers are successful because they are subtle. Making big changes sends up red flags, but by making small changes to source code, a hacker can infiltrate your system. If you’re checking these codes regularly, you’re more likely to catch these hackers before the damage is done.

You can detect malicious code and vulnerabilities that would allow crooks a way in by conducting regular vulnerability scans and penetration tests. Vulnerability scans are automated tests that look for weaknesses in organisations’ systems and applications. The objective of penetration testing is like vulnerability scanning, but it is more thorough and requires expertise and human interaction.

2. Monitor Traffic

In addition to monitoring your website and looking for malicious code, you can also monitor your outbound traffic. You can do this using your next-generation firewall or other security appliances. While these may not be able to determine that the traffic from the Formjacking software is malicious, they can tell it’s going somewhere it’s not supposed to go.

3. Check Your Third-Party Sites are Secure

Web designers often use third party code or services for form functionality so start by enforcing a security governance process . This should include all third-party elements such as plug-ins and extensions. Making sure these are protected, especially on payment processing sites is one way you can stop Formjacking.

Website owners can also use content security policies with Subresource Integrity tags (SRI) to lock down any integrated third-party script. 

4. Keep On Top of Patches

Although patching will not fix flaws in third-party content, it makes it more difficult for attackers to establish a full website compromise. Since Formjacking is such a versatile technique, it is critical to patch applications to prevent damage from compromised third-parties.

5. Have Good Housekeeping

Making sure you’re doing the basics right will help protect you against Formjacking and other types of cyber security threats. This includes limiting who has access to your site and who can make changes.

Multi-factor authentication should be implemented on any system connecting to high-impact assets as Formjacking is often used to bypass authentication to access web server code. Application-layer encryption can also maintain confidentiality at browser level.

Test new updates, even seemingly legitimate ones, in small test environments or sandboxes first. This detects any suspicious behaviour and stops the potential damage that Formjacking can have on you and your clients.

What Next?

We are only at the start of what is likely to be a growing trend. Today’s consumers demand a fast and convenient customer experience and there is a boom in the development and use of mobile apps and chatbots

As well as these attacks growing in number, we will also see them growing in complexity. Formjacking attacks are developing to include a second component, designed to make the attack harder to identify. For instance, cleaning the browser debugger console messages

Want To Avoid Formjacking?

There are a number of different products that you can use to assist your cyber-security defence against nasty attacks like Formjacking. Our team of experts can help you to understand how they work and the benefits of having a pro-active approach to cyber-security – before it’s too late. Let Pure Cloud help you stay ahead of the criminals.



Pin It on Pinterest

Share This