So how does formjacking works? Formjacking works when you, as a customer, input your information such as credit/debit card, Social Security Number, or any other information significant to the hacker. By submitting this information via the submit button, the embedded code inside the payment form sends the user details to the hackers as DOM-based cross-site scripting(XSS). The most common source for DOM XSS is the URL, which is typically accessed by the actor with the window. Location object.
An attacker can construct a link to a baited vulnerable page. A hacker’s primary goal is not the website. Still, the customer’s information, even the most secure and well-crafted website, are susceptible to this attack.
Suggested FormJacking solutions:
- Restrict your purchases to large shops as they are equipped with a more extensive security system.
- Contact your credit card company and acquire a virtual credit card that allows you to transact without exposing your actual credit card number.
- Use two-factor authentication (2-FA) and added protection that ensures the security of your online accounts superseded your username and password.
- Conduct regularly offline integrity checks to see if pages were edited and had malicious JS script inserted. Include frequent (automated) testing from the outside environment.
- Carefully select 3rd party code to use, add into your business applications. If not prevented, make sure to utilize the system for as long as trust exists.
- The best practice is to set a strong password on your content management system (CMS) administrator to make it less susceptible to brute-forcing. Also, the administrative portal and account should be limited to those who need them.