25 Formjacking

Formjacking attacks are a very worrying development by cyber criminals in recent years, hitting big name online retailers and companies like British Airways, Cathay Pacific Airways, Macy’s and Ticketmaster, by compromising online shopping ecommerce systems to steal payment card and other information. These attacks are the online version of an old-school credit card skimmer added to payment machines in restaurants and other shops like petrol stations.

Because both the victims and the online store are completely unaware that anything is amiss, often for months, the criminals can amass a huge number of payment and personal information. In fact, in many cases the website of the retailer has not been compromised at all, instead the criminals have targeted third party payment systems and ecommerce website add-ins, which allows hundreds of thousands of sites to compromised in a very short space of time.

When you place an order on a compromised payment page, your payment is sent to the retailer as normal and your goods are dispatched, or service payment accepted. The crime here, when you place an order, is that your payment information and other credentials have been silently sent to the criminals, often to be sold on. Often this type of attack is known as a Magecart attack, due to the name of the lose criminal group responsible for many of these attacks. This group compromised such a wide variety of services that security researchers have seen the skimmer appear in web advertisements and web browser plugins.

The criminals would typically collect your name, address, telephone number, email address, payment card information (card number, expiration date and CVV number) as well any additional data that is entered on the compromised payment page like a password or passport number. While there is very little you can do after your information has been stolen other than report it to your bank or credit card company, you can take some steps to try and reduce the risk of formjacking or at least limit the damage if you are a victim.

1. Try to use a credit card for online payments rather than a debit card
2. Make sure you use a modern web browser and check for updates weekly
3. Regularly check your bank and credit card statements for unusual entries
4. Consider reporting your credit and debit cards lost or damaged every six months to get replacements, limiting the lifespan of stolen card numbers

If you are a victim of formjacking, the company that you were paying is responsible and has a duty to inform you. As any goods and services ordered were probably not affected, refunds are not likely, instead many offer free credit report subscriptions to minimise the long-term impact, but this barely makes up for the stress.

Index or next chapter Ransomware