How to tackle formjacking and avoid becoming Magecart's next victim

Netskope's Paolo Passeri explains why organisations need to systematically audit their ecommerce sites - regularly

With millions of us regularly using credit cards to buy goods and services online, it's perhaps no surprise that online retailers are a constant target for increasingly sophisticated cyber crooks.

Affecting up to 50 online stores per day, formjacking is the current preferred method for malicious actors to steal, and then sell, user information. The threat is evolving quickly - indeed, it is already starting to extend beyond ecommerce, as all companies operating a form-enabled website are potentially at risk.

High profile organisations, such as British Airways, Ticketmaster, Newegg and Topps Sports Collectibles have already fallen victim to this criminal technique. One cyber crime group, called Magecart, is believed to be behind not just these attacks, but attacks on more than 800 ecommerce sites around the world in recent years - most of these attacks go unreported.

So what can organisations do to protect themselves?

What is formjacking?

The formjacking concept is pretty simple: it's the virtual equivalent of putting a device on an ATM to skim debit card numbers. Tiny lines of malicious code are injected into a website with the goal of collecting valuable information, such as credit card details, each time a transaction is completed. And for hackers that's pretty big business.

The simplest way to protect a website from formjacking is to perform regular auditing of the page

Stolen financial data often ends up on the dark web, traded at a premium to unscrupulous buyers, or used for identity theft operations, bank fraud and other criminal activity.

Of course, formjacking is just the latest in a long line of cyber threats, increasingly popular among cyber criminals, as it offers an easy way to do business.

The ongoing boom in the development and use of mobile apps and chatbots further exacerbates the threat. Mobile apps are simply a front-end for the web applications and are no more secure than standard web apps.

Similarly, chatbots are just examples of supply chain services that too often do not have the same level of security of the target organisation and end up being the weak link for the attackers, as in case of the [24]7.ai breach.

Towards a fix

Fortunately for CISOs there are some relatively simple actions they can take to mitigate the threat of formjacking attacks.

The simplest way to protect a website from formjacking is to perform regular auditing of the page. Formjacking injects external code into the target page, so a careful, regular observation allows the detection of changes to the original code, indicating that the site has been tampered with by outsiders.

Indeed, my advice to CISOs is to capitalise on a back to basics approach. This means enforcing security governance processes that must include all third-party elements, such as plug-ins and extensions. Don't forget that the security of a system is determined by the lowest common denominator of all the elements of the architecture, so a weak link in the supply chain compromises the whole process.

Security governance processes must include all third-party elements, such as plug-ins and extensions

For this reason, diligence must extend beyond the enterprise and include the partner network, too. A merchant may have fantastic security governance and have followed all the security guidance in the world - but if they aren't told by their software vendor that there are newly discovered vulnerabilities, they dramatically increase the attack surface.

Entering into a long-term working partnership with a supplier requires security teams to make sure the third-party has a security process in place and embeds security into the software development life-cycle.

CISOs from companies that are not retailers or even regularly handling financial transactions need to remember that formjacking can target any type of data entered into a form via the web, including log-in information and employee details - and unless companies take action to properly secure their cloud and web resources, they are leaving themselves open to attack, too.

In the case of applications built on top of IaaS infrastructures, an effective safeguarding method is to perform a continuous security assessment to detect misconfigurations that could lead to compromise.

Indeed, the new threat of formjacking should act as a prompt for organisations of all sizes to adopt a security transformation approach alongside their digital strategies, mirroring operational innovations with security innovation.

Those that fail to do this will leave vast attack surfaces unprotected.

Paolo Passeri is cyber intelligence principal at cloud security company Netskope

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.