FormJacking – What you need to know

June 9, 2020
formjacking skimming scam

Cybercrime and online threats are becoming the norm as the global pandemic draws us online to get our necessities. Internet is a minefield of ID theft threats such as the pervasive phishing emails, malware, SQL Injection, XSS, Denial of Service(Dos), just to name a few is FormJacking or E-Skimming, it is a stealthy scam hidden from plain sight of hackers that are getting into mainstream websites through 3rd parties by injecting Javascript code into the online payment form or customer service chatbot.

So how does formjacking works? Formjacking works when you, as a customer, input your information such as credit/debit card, Social Security Number, or any other information significant to the hacker. By submitting this information via the submit button, the embedded code inside the payment form sends the user details to the hackers as DOM-based cross-site scripting(XSS). The most common source for DOM XSS is the URL, which is typically accessed by the actor with the window. Location object.

An attacker can construct a link to a baited vulnerable page. A hacker’s primary goal is not the website. Still, the customer’s information, even the most secure and well-crafted website, are susceptible to this attack.

Formjacking is not an entirely new attack as JavaScript is not a new technology; however, used for more than two decades. Nowadays, websites use Javascript, and this scheme is becoming a trend. On a recent discovery, a new variant of a JavaScript skimming method was discovered-dubbed Pipka. The only difference from Inter malware is it can remove itself from compromised HTML code after execution to help avoid detection.


Suggested FormJacking solutions:

  • Restrict your purchases to large shops as they are equipped with a more extensive security system.
  • Contact your credit card company and acquire a virtual credit card that allows you to transact without exposing your actual credit card number.
  • Use two-factor authentication (2-FA) and added protection that ensures the security of your online accounts superseded your username and password.
  • Conduct regularly offline integrity checks to see if pages were edited and had malicious JS script inserted. Include frequent (automated) testing from the outside environment.
  • Carefully select 3rd party code to use, add into your business applications. If not prevented, make sure to utilize the system for as long as trust exists.
  • The best practice is to set a strong password on your content management system (CMS) administrator to make it less susceptible to brute-forcing. Also, the administrative portal and account should be limited to those who need them.
About the author

Leave a Reply