Protect your customers from ‘formjacking’ and credential theft
With most of us locked away at home, trips to the supermarket or the grocery store are now limited. If you use your credit or debit card to pay for goods and services when shopping online, and notice an unusual surge in expenses, you could be a victim of formjacking and credential theft.
Someone has stolen your credit card number, card expiry date, PIN and your name as it appears on the card.
But this is an even greater concern for business owners that accept payments online. These credentials are likely to be sold on the dark web or misused for shopping on other websites. Once your customers’ know their personal details were stolen while on your website, your reputation will suffer, as will your sales.
India ranks third in the world for formjacking, behind the U.S. and Australia.
But what is formjacking, and how does it occur? How can you prevent what we just described from happening to you?
What is formjacking?
The ‘form’ is an online form that people fill while ordering a product or subscribing to a service on the internet. These forms capture details like name, shipping address and the product details. They also capture the payment details — in other words, the shopper’s credentials.
When your customer finally clicks the ‘Submit’ button, these details go back to the merchant or your online shopping site.
However, if the form is ‘hijacked,’ these details could also go to a hacker or bad actor, and your customer could end up a victim of credential theft.
No one notices anything unusual when this happens, because your online shopping site still receives the order and the payment. And formjacking is hard to detect.
How does formjacking happen?
Various functions on every shopping website are handled by different scripts, or pieces of software code.
Take chatbots, for instance, which are common on banking websites and sites selling products or services. A chatbot pops up and asks if the visitor needs help. When they type a question in the chat box, they receive an automated response.
In most cases, you haven’t actually created that chatbot code; instead, you’re using an external (third-party) app or software.
Your shopping cart feature, including checkout and payment fulfilment, is likely to be outsourced apps as well.
A hacker could modify the code in these third-party applications, inserting their own code and altering the application. So, what your customer sees is actually a modified script or application with the hacker’s harmful code.
The hacker’s code has instructions to redirect a copy of the form to a place where the user’s credentials can be captured and stored in a database. And that’s how a hacker gets your customers’ credit/debit card details when they shop online. That’s credential theft.
Who are the culprits?
A consortium of hacker groups that call themselves ‘Magecart’ is behind all the formjacking and credential theft that happens online.
The Magecart groups specialise in attacking shopping carts and payment fulfilment on eCommerce sites. In addition to that, Magecart groups also offer their services to other cybercriminals.
They target small and medium retailers with their formjacking attacks, because their security defences may not be as strong as the large eCommerce sites. But that’s not to say that a large company’s website cannot be attacked. Symantec reported that British Airways, Ticketmaster, Feedify, and Newegg were also victims of Magecart formjacking attacks.
Magecart groups are looking to steal any information that has value, and which could be sold on the dark web. That could be:
- Business secrets
- Details about yet-to-be-launched products
- Customer databases
- Aadhaar numbers
Hackers even value details of defence equipment, which is usually manufactured by contractors or third-party suppliers. In other words, your whole supply chain could be a target for Magecart groups.
Related: Improve your website security in 5 steps
What can website owners do to guard against formjacking?
Hackers frequently insert formjacking malware onto sites by compromising the work of third-party application developers, especially:
- Payment processors
- Other typical web applications
The answer? Check the following (or have a tech-savvy friend do it for you):
Check all the scripts for third-party apps on your website
Review the scripts and compare them with the original vendor scripts to see if there are any differences. Also, check the source code of pages on your website and look for any modifications or insertions.
Use SRI tags
Subresource Integrity (SRI) tags check the code in your files or scripts that your browser or application fetches from the source (like a Content Delivery Network) to render the form in the user’s browser. SRI tags check if these scripts are original or whether these have been tampered with.
Monitor your site’s outbound traffic
Check where your form data is going. If you see it going to an unknown external repository that you did not authorise, then your site could be under attack from formjacking or other malware.
Editor’s note: Daily scanners like GoDaddy’s Website Security act as early warning systems, alerting you to suspicious activity and shutting down hackers’ attempt to break into your website.
What can consumers do to protect themselves?
Anyone who shops online can take these steps to protect themselves from formjacking:
- Check your credit and debit card statements every month. If you see a transaction you did not do, call your bank or card-issuing company immediately.
- Block your card right away if you see a transaction that you do not recognise.
- Watch your credit card score/social security score. If your score is dropping, your card could be being misused.
- Use secure mobile eCommerce apps instead of desktop browsers when shopping online.
Always use secure Wi-Fi when placing orders online — not the free Wi-Fi provided in public hotspots.
- Use modern and secure forms of payment, such as Apple Pay and Google Pay.
- Do not shop on unknown or smaller eCommerce sites.
- When shopping online, use a credit card with a lower credit limit. So even if your card details get stolen, you will not lose a significant amount.
- Opt for SMS or email notifications for all card transactions.
You can also ask if two-factor authentication is available for your payment card. A temporary one-time password (OTP) by SMS will be needed for every card transaction. Visa and Mastercard offer these services, but these are not available in all countries.
Some credit card issuers or issuing authorities give you a special digital number that can only be used for online transactions. Use it if it is available in your region.
Protect your business reputation
Formjacking is a severe threat, and anyone could become a victim. Your customers trust you to safeguard their private details — and will quickly take to social media to share any formjacking they suspect has happened on your website. The time you spend now on these preventative measures will pay off in the long run.
Be alert. Stay safe!