Formjacking: What is it and how to protect ourselves from this attack?

Information security specialists report the emergence of a new variant of online fraud that allows the extraction of victims’ data when they browse through seemingly secure websites. In most cases, victims do not know they have been attacked until it is too late.

Whether users are shopping online, filling out government forms, or job applications, threat actors can find a way to bypass any protection on a website to steal information when the user enters it.

This practice has been dubbed by information security specialists as “formjacking”. Actually, this method works quite similarly to the devices used by cybercriminals to clone payment cards at an ATM, known as “skimming” devices. Criminals implant these devices at ATMs to capture information from users’ cards. In the case of formjacking, hackers inject malicious code into a legitimate website to extract people’s information when they enter it into the website.

Researchers at information security firm Symantec published an analysis of the growth of formjacking during the first half of 2018 and 2019, concluding that this practice grew nearly 120% in less than a year. “It is possible to attack any website, so administrators should always remain alert to any cybersecurity threat,” the experts said.

The responsibility to combat this practice resides almost 100% in companies and website owners requesting personal information, as it is virtually impossible for users to do anything to increase the security of a website. “Users don’t really have a way of knowing when a website has been attacked, there’s not much they can do except waiting for companies and Internet pages to receive protection and surveillance.” To make matters worse, protection measures such as antivirus software are also very inefficient at detecting such attacks.

This is a really stealthy attack variant, so it is best for users to always be vigilant, be aware of what information they are sharing on any website, as well as monitor their social media profiles, social media accounts, emails and bank statements periodically to detect any suspicious activity on time and report it to the relevant instances.  

Another option to consider for mitigating this risk is to abandon the use of desktop equipments to enter personal information on a website and instead only use secure mobile apps, primarily payment services, such as Apple Pay or Google Pay. 

Although it seems similar to sending phishing forms or messages, information security specialists from the International Institute of Cyber Security (IICS) mention that formjacking is a much more dangerous attack variant. The danger of formjacking lies in the fact that attackers can inject their codes into legitimate websites, unlike phishing, which employs forms, websites and emails that are simply very well-achieved copies of the content used by legitimate private companies and government institutions.