• Latest
What is Formjacking?

What is Formjacking?

June 8, 2022 - Updated On June 9, 2022
Veeam Releases Kasten for Kubernetes v7.5, Elevating its #1 Data Resilience Market Position with Enhanced Security and Modern Virtualization

Veeam Releases Kasten for Kubernetes v7.5, Elevating its #1 Data Resilience Market Position with Enhanced Security and Modern Virtualization

February 28, 2025
Major Milestone for PDX Beam as Crypto-to-Fiat App Is Now Available in Apple App Store and Google Play

Major Milestone for PDX Beam as Crypto-to-Fiat App Is Now Available in Apple App Store and Google Play

February 20, 2025
Sardine AI Raises $70M to Make Fraud and Compliance Teams More Productive

Sardine AI Raises $70M to Make Fraud and Compliance Teams More Productive

February 18, 2025
Swap and Signifyd Partner to Empower Brands With Secure, Seamless Global Commerce

Swap and Signifyd Partner to Empower Brands With Secure, Seamless Global Commerce

February 13, 2025
Worldpay to Acquire Ravelin, a Leading AI-Native Fraud Prevention Platform

Worldpay to Acquire Ravelin, a Leading AI-Native Fraud Prevention Platform

February 12, 2025
Socure Verifies Over 2.7 Billion Identity Requests in 2024, Achieves Market-Leading Performance Amidst Increasing AI and Fraud Threats

Socure Verifies Over 2.7 Billion Identity Requests in 2024, Achieves Market-Leading Performance Amidst Increasing AI and Fraud Threats

February 10, 2025
NVISIONx Unveils Nx+RexAI: Redefining Data Security Posture Management with GenAI-Powered Contextual Classification

NVISIONx Unveils Nx+RexAI: Redefining Data Security Posture Management with GenAI-Powered Contextual Classification

February 5, 2025
AuthenticID Annual Report Reveals Surge in Identity-Based Fraud Across Businesses

AuthenticID Annual Report Reveals Surge in Identity-Based Fraud Across Businesses

February 3, 2025
N-able Furthers Open Ecoverse Vision with Launch of AI-Powered Developer Portal—Accelerating API Integrations for Faster, Seamless IT and Security Services Delivery

N-able Furthers Open Ecoverse Vision with Launch of AI-Powered Developer Portal—Accelerating API Integrations for Faster, Seamless IT and Security Services Delivery

January 30, 2025
Zest AI to Deliver First Seamless AI Application Fraud Detection for MeridianLink Clients

Zest AI to Deliver First Seamless AI Application Fraud Detection for MeridianLink Clients

January 29, 2025
Hiya Launches First AI Call Assistant That Stops Live and Deepfake Scams in Real-Time

Hiya Launches First AI Call Assistant That Stops Live and Deepfake Scams in Real-Time

January 28, 2025
Deep Instinct Expands DSX for Cloud Protection to Amazon FSx NetApp

Deep Instinct Expands DSX for Cloud Protection to Amazon FSx NetApp

January 24, 2025
  • Contribute
  • Contact Us
  • About
  • Join Us
  • Advertise
Sunday, October 26, 2025
Merchant Fraud Journal
ADVERTISEMENT
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
Merchant Fraud Journal
No Result
View All Result

What is Formjacking?

An interview with Angel Grant, Vice President of Security at F5

What is Formjacking?

Formjacking is a man-in-the-browser attack where criminals inject malicious JavaScript code into a webpage, typically on login or checkout pages. The goal of this type of attack is for criminals to capture information the site visitors enter so they can use the data to conduct malicious acts, such as account takeover, inject new forms or new questions into existing forms that prompt site visitors to provide confidential data, package and sell fresh data dumps on Dark Web forums, etc. This type of cybercrime attack, where transactional data is collected by a syndicate criminal organization, is known as a Magecart attack, digital skimming or formjacking.

Why is formjacking a cybersecurity risk, and not just a fraud risk?

Criminals are opportunistic. They are not just looking for vulnerabilities within your applications, they look for vulnerabilities in your organization, people, and processes. They know many organizations tackle application security and fraud prevention separately, operating in distinct silos. As a result, modern cybercrime operates in a grey area between security and fraud, and digital skimming is an attack that falls in that grey area.

Criminals know many organizations struggle to manage, track, and secure the volume, scope and scale of scripts now embedded into websites. These embedded scripts cause a ‘shadow API and JavaScript” situation. Criminals look to manipulate organizations that function in silos and have a large supply chain ecosystem with many different scripts embedded into their sites. They exploit the lack of visibility this siloed approach creates and take advantage of the situation by compromising and modifying scripts with the intent to harvest PII and payment card info.

This makes digital skimming a cybersecurity, fraud, and compliance risk. Organizations not only need visibility into the JavaScript on their site, they also need to know what the scripts are collecting to prevent violating data privacy regulations like GDPR and CCPA and maintain compliance with the new PCI DSS 4.0 requirement 6.4.3 and 11.

Why are online forms vulnerable to attack?

Online forms are vulnerable to attacks because of supply chain ecosystem risks. As organizations expand their third-party ecosystem and the number of scripts on their site, they introduce new potential points of vulnerability. Most organizations do not have centralized control and governance over script management. If a third-party script on your site has a vulnerability and you are not aware of it, you are unable to patch it – opening the door for an attacker or exploit.

In our F5 Labs research report we reported that 87% of web exploits were formjacking attacks utilizing Magecart and its variants. For most injection attacks, the goal was to place malicious skimmer scripts to harvest payment information. We also saw the diversity of malicious formjacking scripts grew 20x in 2021 with an increase in the variety of access, masquerading, and exfiltration techniques used. Also, we noticed a trend of repeat formjacking where many organizations were compromised by the same attack multiple times in succession, a strong indicator that criminals are manipulating poor processes and internal governance.

How do fraudsters perform formjacking attacks? 

A digital skimming attack occurs when a criminal either injects one or many malicious script(s) or manipulates an existing script on a legitimate page or application to create a software supply chain man-in-the-browser attack. These attacks are difficult to detect since these scripts are updated frequently by third parties often without a process for your organization to perform security reviews.

There are many ways fraudsters inject malicious scripts: criminals target weak or stolen admin credentials, compromise the host of third-party JavaScript files, and exploit vulnerabilities in web apps to inject code on web servers to corrupt legitimate scripts already on the page. For example, criminals target sites like GitHub to take ownership of projects to inject their malware, which then hides dormant until an updated version of the project is published.

What are the best practices for detecting formjacking?

Most of these attacks go undetected due to the lack of ongoing inspection and monitoring of third-party software. The best practices to detect digital skimming are:

  • Inventory audit: Start with creating an internal audit to inventory all legitimate scripts that are used, who owns and authorized them, what are they used for, and how they are maintained. Think of it as an SBOM (software bill of material) for your scripts. Be sure to include scripts added through tag managers.
  • Governance and processes: create a governance structure for adding, monitoring, and maintaining future scripts to assure the integrity of each script and clearly document why the script is necessary.
  • Least privilege access: remember many attacks are due to poor authentication and authorization controls – so consider least privilege access to scripts.
  • Monitor, detect and alert: establish the ability to monitor, detect, and alert when a new script is added, or an existing script is modified. Many of the previously used detection techniques, such as Sub-Resource Integrity (SRI) to conduct integrity checks to ensure a script was not tampered with, and Content Security Policy (CSP) to limit the locations browsers can load a script from and send data to, still have some value but are no longer sufficient to protect today’s constantly changing web and mobile apps. A more modern approach to detecting digital skimming attacks should include the detection of third-party potential compromises by examining JavaScript code and malicious network traffic generated. It should also include signature-based Magecart detection to quickly identify these types of attacks since the same attack methods are frequently reused for new targets.
  • Establish a rapid mitigation strategy: explore simple one-click mitigation strategies where you can quickly review script changes and alerts on an interactive dashboard with a tool that provides one-click mitigation to block network calls that exfiltrate data.

What can merchants do to minimize the risk of a successful formjacking attack?

To minimize risk, merchants need to first understand where all their properties are, and the scripts that are on those pages. You cannot secure your organization from an attack if you do not know what you are protecting. Merchants should minimize the number of scripts on all pages, most importantly their payment and checkout pages. Digital skimming has become such a large issue that the new PCI v 4.0 guidance recommends that organizations only include “required” scripts on the pages that collect PII and payment information.

Merchants should leverage this new PCI guidance coupled with new free tools industry stakeholders have stepped up to offer, such as Target’s Merry Maker, a free open-source tool, and F5’s free self-service formjacking mitigation tool called Client-Side Defense that allows organizations to quickly block attacks with one-simple click. (Free up to 1 million transactions per month.)

What should merchants do if they realize they are a victim of a formjacking attack?

If a merchant is a victim of a digital skimming attack, they should immediately implement the incident response plan they already have in place. Ideally, the plan is aligned with the NIST Cybersecurity framework, and includes actions such as:

  • Secure operations to quickly protect systems and fix vulnerabilities
  • Mobilize the breach response team to prevent additional data loss
  • Identify what data was compromised and what compliance regulations it falls under
  • Communicate to customers that may have been impacted
  • Conduct post incident assessment

Can you define the concept of a ‘supply chain ecosystem’ and provide an example?

Today’s software supply chain ecosystems are a complex network of applications, APIs (Application Programming Interfaces), people, processes, and tools that interact across the organization and digital properties.

The concept of a software supply chain ecosystem could be equated to a matryoshka doll where there are scripts embedded in scripts. This is the reason why the Log4j attack was so pervasive. Many organizations didn’t even know they had Log4j in their environments.

Software supply chain ecosystems almost always involve third-party code running on merchants’ sites – creating security and fraud risks for merchants and their customers. For example, on the checkout page there could be several scripts from different parties that connect to the numerous payment processors.

Where should merchants be looking for vulnerabilities in their supply chain ecosystem?

Supply chains simply do not work unless you have resiliency, and to have resiliency you need to understand the potential points of vulnerability. In supply chain management there is a concept called the Triple A Supply Chain–agility, adaptability, and alignment. Resilient supply chains must address the 3 A’s in order to easily adapt to disasters, disruptions, and fluctuating needs. However, the Triple A Supply Chain should also align with the “CIA triad” used in cybersecurity – confidentiality, integrity, and availability – to establish a truly effective defensive approach.

Merchants should be looking for vulnerabilities across their supply chain, this includes their people, processes, and technology, and must understand the potential areas of compromise each pose.

  • People – do you have the right level of access controls? Have your people been properly trained?
  • Process – do you have clearly documented processes for certifying, engaging, and monitoring third-party scripts?
  • Technology – do you have tools to inspect and detect when your site is being compromised?

What is the number one thing merchants can do to protect their supply chain ecosystem and prevent formjacking?

The number one thing merchants can do to protect their supply chain ecosystem is to conduct a security strategy assessment. It should include assessing risk and compliance, and evaluating existing security governance—including data privacy, third-party risk, and IT regulatory compliance needs and gaps mapped against business challenges, requirements, and objectives.

Some frameworks organizations could explore are the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). Both provide a straightforward overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks https://www.cisa.gov/publication/software-supply-chain-attacks along with a tool kit they can use https://www.cisa.gov/ict-supply-chain-toolkit.


This article was contributed by Angel Grant, Vice President of Security at F5

Tags: formjacking
TweetShareSend
Previous Post

The App Store stopped nearly $1.5 billion in fraudulent transactions in 2021

Next Post

Apple Adds Buy Now Pay Later Option to Apple Pay Wallet

Next Post
Apple Adds Buy Now Pay Later Option to Apple Pay Wallet

Apple Adds Buy Now Pay Later Option to Apple Pay Wallet

Download our latest report:

Our Latest Reports

2024 Fraud Trends Report

2023 Consumer Payments Survey Report

2023 Fraud Trends Report

2022 Chargeback Consumer Survey Report

Fraud Prevention Tactics that Enable Exceptional Customer Experience

Addressing Payment Fraud and The Customer Experience in 2022

2022 Fraud Trends Report

ATO Fraud In Retail Report

2022 Customer Experience Report

3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue

Digital Trust And Safety Report: Combating the Evolving Complexities of Payment Fraud

On-Demand Webinars

New Trends in The Payments Ecosystem

Balancing Customer Experience and Fraud Prevention: What’s the Secret?

Stopping Fraud Across the Customer Lifecycle

Addressing Payment Fraud and the Customer Experience in 2022

 

Get the 2024 Fraud Trends Report

Search Our Site

No Result
View All Result

Our Sponsors

Quick Navigation

  • Home
  • News
  • Join Us
  • About Us
  • Contact Us
  • Advertise
  • Contribute
  • Privacy Policy

The Payments Media Network

Merchant Fraud Journal
Payments Review

Privacy Policy

Our Privacy Policy
Our Terms of Use

Resources

  • Articles
  • eCommerce Fraud Reports
  • eCommerce Fraud Webinars
  • Training and Certifications
  • Jobs Board
  • Associations and Non-Profits
  • Podcasts
  • Vendor Directory

Download the 2023 Fraud Trends Report

No Result
View All Result
  • About Merchant Fraud Journal
    • Interested in Contributing or Guest Posting to Merchant Fraud Journal?
    • Merchant Fraud Journal Editorial Guidelines
  • Advertise on Merchant Fraud Journal
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Contact Us
  • Download Addressing Payment Fraud and Customer Experience Report
  • Download Chargebacks Consumer Survey Report 2022
  • Download Evolving Complexities of Payment Fraud Report
  • Download Fraud Prevention Tactics that Enable Exceptional Customer Experiences Report
  • Download Merchant Fraud Journal 2023 Fraud Trends Report
  • Download Merchant Fraud Journal 2024 Fraud Trends Report
  • Download Merchant Fraud Journal Generative AI Fraud Prevention Checklist for SMBs
  • Download Quantifying the Challenge of Friendly Fraud: Your Post-purchase Strategy for the Future
  • Download the 2020 Chargeback and Representment Report
  • Download the 2020 Merchant Fraud Journal Vendor Guide
  • Download the 2021 Fraud Trends Report
  • Download the 2022 Fraud Trends Report
  • Download the 2023 Consumer Payment Trends Report
  • Download the 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue Report
  • Download the MFJ 2022 Customer Experience Report
  • Download the MFJ ATO in Retail Report
  • Home
  • Home Elementor
  • Job Dashboard
  • Join The Merchant Fraud Journal Community
  • Merchant Fraud Journal Advertising Agreement
  • Merchant Fraud Journal Advertising Agreement – Signifyd
  • MFJ Fraud Trends Report Giveaway
  • News
  • Post a Job
  • Privacy Policy
  • Resources
    • #9978 (no title)
    • 2020 Chargeback Representment Guide for Merchants
    • 2020 Vendor Guide
    • 2023 Consumer Payments Survey Report
    • 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue
    • Addressing Payment Fraud and the Customer Experience in 2022
    • Associations and Non-Profits
    • ATO Fraud In Retail Report
    • Balancing Customer Experience and Fraud Prevention: What’s the Secret?
    • Chargebacks Consumer Survey Report 2022
    • Digital Trust & Safety: Combating the Evolving Complexities of Payment Fraud
    • eCommerce Fraud Reports
    • eCommerce Fraud Webinars
    • Fraud Prevention Tactics that Enable Exceptional Customer Experiences
    • Fraud Prevention Training and Certifications
    • How to Build a Recession Proof Chargeback Prevention Strategy
    • How to Reduce Customer Friction During Holiday Sales Season
    • How to Stop Fraud During the 2022 Holiday Season
    • Jobs Board
    • Merchant Fraud Journal 2023 Fraud Trends Report
    • Merchant Fraud Journal’s Fraud Trends 2020 Report
    • Merchant Fraud Journal’s Generative AI Fraud Prevention Report: A Checklist for SMB Companies
    • Merchant Fraud Journal’s Fraud Trends 2021 Report
    • Merchant Fraud Journal’s Fraud Trends 2022 Report
    • MFJ’s 2022 Customer Experience Report
    • Podcasts
    • Prevent High-Velocity Fraud Attacks During the 2021 Holiday Season
    • Quantifying the Challenge of Friendly Fraud: Your Post-purchase Strategy for the Future
    • Stopping Fraud Across the Customer Lifecycle
    • The surprisingly easy way to secure your payment data, reduce your risk, and win the war on ecommerce fraud
    • Vendor Directory
    • Webinar – Addressing Payment Fraud and the Customer Experience in 2022
    • Webinar – Mitigating Fraud and Risk on the ACH Network
    • Win January Chargeback Disputes
  • Subscribed
  • Terms and Conditions

© 2021 Payments Media Solutions Canada Inc.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?