If you thought card data skimming was only a problem at the fuel pump, think again. A growing type of online fraud called formjacking lets thieves steal customers' data as they enter it on an e-commerce site, without shoppers or site owners knowing it's happening.
It happened to British Airways in 2018, when data from 380,000 customers was hijacked for resale online, and it happens to smaller businesses, too. Here's what you need to know about this threat and how to protect your e-commerce website.
What exactly is formjacking?
Formjacking is a trending type of data breach that showed up on data security investigators' radar in 2018. One security firm alone blocked 3.7 million formjacking attacks against its clients last year, and an estimated 4,800 online stores get formjacked each month. That's because formjacking is easy to do, hard to spot and makes money for thieves.
The data that's skimmed gets sold on the dark web. The data formjacked from the British Airways site sold for as much as $50 per record – it included CVVs, expiration dates and customers' personal data. That information makes it easier for CNP fraudsters to buy things online, because stolen card numbers usually have to be tested to match them with security codes and expiration dates.
What type of websites do formjackers target?
Major e-commerce sites like BA and Ticketmaster have been formjacked. But formjackers seem to prefer small and medium-sized online businesses, because they often have weaker cybersecurity programs than large e-commerce sites.
In particular, formjackers look for sites with lots of customer traffic, to steal as much data as possible in the shortest amount of time. That means peak shopping seasons can become peak formjacking seasons. And these criminals look for sites that use third-party apps and plugins, like customer service chatbots and satisfaction surveys. The extra code on the site makes it easier to camouflage their embedded malicious snippets, or to corrupt the third-party code.
Formjacking creates data breach nightmares
Formjacking attacks erode customer trust, drive shoppers away and damage brands. One negative shopping experience can prompt 63% of consumers to shop somewhere else, and having their card data quietly stolen is definitely a bad experience. And the more formjacking attacks there are, the less confidence shoppers will have in the safety of buying online, which is why everyone in the e-commerce ecosystem needs to be concerned about this trend.
In BA's case, the formjacking breach generated ill will among customers. It also generated a lot of negative publicity, as headlines updating the number of affected passengers came out over a span of weeks. The cost to the airline isn't clear yet, but it will be steep. In addition to reimbursing customers for losses directly related to the formjacking, BA faces a potential GDPR fine of up to $646 million.
How can you protect your website from formjacking?
Security experts say formjacking is very hard to spot. The corrupted forms still work as they should – customers place their orders and those orders go through, so it appears on the surface that nothing is wrong. In theory, it's possible to right click on a web form in a browser and look at the code, but it's often hard to pick out the malicious snippet from legitimate code, especially if there are lots of add-ons on the site.
One way to spot a possible formjacking in progress is to look for data unexpectedly leaving your site. PC Magazine recommends checking your site's firewall dashboard for new or otherwise suspicious-looking outbound traffic going to a location you can't identify. If you see something like this, it's time to immediately scan your site for malicious code.
Regular or continuous scans for malicious activity are important, even if you're not always watching your outbound traffic. A comprehensive security program is a must for e-commerce sites. So is a practice of quickly patching and updating software when vulnerabilities are announced. However, many businesses leave critical security vulnerabilities unpatched for three months or more. That puts them at risk for formjacking and other types of data breaches as well.
Finally, trust but verify. Make it a practice to scan all app and plugin updates from your third-party services to ensure they're not corrupted by formjacking code. As criminals get more sophisticated and creative in their methods, online store owners need to stay vigilant and recommit to following best practices for data security and fraud prevention. Traffic monitoring, proactive site scans, and rapid patching can protect your store's revenue, reputation, and customers.