• Latest
What is Formjacking?

What is Formjacking?

June 9, 2022
The ai Corporation extends collaboration with Shell to utilise cutting-edge Autopilot Machine Learning to protect Shell Card users from fraud

The ai Corporation extends collaboration with Shell to utilise cutting-edge Autopilot Machine Learning to protect Shell Card users from fraud

September 19, 2023
Sift Named a Leader in Fraud Detection, E-commerce Fraud Detection, and Risk-Based Authentication on G2

Sift Named a Leader in Fraud Detection, E-commerce Fraud Detection, and Risk-Based Authentication on G2

September 15, 2023
VISA Amends Its Dispute Management Guidelines for Merchants

Visa Research Highlights Emerging Fraud Schemes in Retail and eCommerce

September 15, 2023
World ID and the Hidden Dangers of Self-Sovereign Identities

World ID and the Hidden Dangers of Self-Sovereign Identities

September 15, 2023
Adversarial AI fraud attacks: The ticking time bomb of fraud prevention

Adversarial AI fraud attacks: The ticking time bomb of fraud prevention

August 17, 2023
5 Rampant Fraud Tactics for Merchants and Consumers to Stay Vigilant Against

5 Rampant Fraud Tactics for Merchants and Consumers to Stay Vigilant Against

August 15, 2023
Chargeflow Secures $14m in Funding led by OpenView to Fuel its AI-Driven Chargeback Automation Solution Market Expansion

Chargeflow Secures $14m in Funding led by OpenView to Fuel its AI-Driven Chargeback Automation Solution Market Expansion

September 20, 2023
SEON Raises $94 Million Series B to Address Exponential Growth of Online Fraud

Effectiv announces additional $4.5 million in seed funding

July 30, 2023
nSure.ai Awarded Second Patent Empowering Merchants to Strike Back at Fraudsters

nSure.ai Awarded Second Patent Empowering Merchants to Strike Back at Fraudsters

July 26, 2023
Dark Web Price Index 2023: Unraveling the Evolving Landscape of Underground Trade

Dark Web Price Index 2023: Unraveling the Evolving Landscape of Underground Trade

July 24, 2023
Justt survey show more people are engaging in chargebacks in 2023

Justt survey show more people are engaging in chargebacks in 2023

July 20, 2023
Ravelin releases Global Fraud Trends Fraud & Payments Survey 2023

Ravelin releases Global Fraud Trends Fraud & Payments Survey 2023

July 17, 2023
  • Contribute
  • Contact Us
  • About
  • Join Us
  • Advertise
Monday, September 25, 2023
Merchant Fraud Journal
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
  • Home
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Resources
    • Recorded Webinars
    • Podcasts
    • Vendor Directory
    • eCommerce Fraud Reports
    • Training and Certifications
    • Jobs Board
    • Associations and Non-Profits
  • News
No Result
View All Result
Merchant Fraud Journal
No Result
View All Result

What is Formjacking?

An interview with Angel Grant, Vice President of Security at F5

by Bradley
June 9, 2022
in Articles, Fraud Prevention
What is Formjacking?

What is Formjacking?

Formjacking is a man-in-the-browser attack where criminals inject malicious JavaScript code into a webpage, typically on login or checkout pages. The goal of this type of attack is for criminals to capture information the site visitors enter so they can use the data to conduct malicious acts, such as account takeover, inject new forms or new questions into existing forms that prompt site visitors to provide confidential data, package and sell fresh data dumps on Dark Web forums, etc. This type of cybercrime attack, where transactional data is collected by a syndicate criminal organization, is known as a Magecart attack, digital skimming or formjacking.

Why is formjacking a cybersecurity risk, and not just a fraud risk?

Criminals are opportunistic. They are not just looking for vulnerabilities within your applications, they look for vulnerabilities in your organization, people, and processes. They know many organizations tackle application security and fraud prevention separately, operating in distinct silos. As a result, modern cybercrime operates in a grey area between security and fraud, and digital skimming is an attack that falls in that grey area.

Criminals know many organizations struggle to manage, track, and secure the volume, scope and scale of scripts now embedded into websites. These embedded scripts cause a ‘shadow API and JavaScript” situation. Criminals look to manipulate organizations that function in silos and have a large supply chain ecosystem with many different scripts embedded into their sites. They exploit the lack of visibility this siloed approach creates and take advantage of the situation by compromising and modifying scripts with the intent to harvest PII and payment card info.

This makes digital skimming a cybersecurity, fraud, and compliance risk. Organizations not only need visibility into the JavaScript on their site, they also need to know what the scripts are collecting to prevent violating data privacy regulations like GDPR and CCPA and maintain compliance with the new PCI DSS 4.0 requirement 6.4.3 and 11.

Why are online forms vulnerable to attack?

Online forms are vulnerable to attacks because of supply chain ecosystem risks. As organizations expand their third-party ecosystem and the number of scripts on their site, they introduce new potential points of vulnerability. Most organizations do not have centralized control and governance over script management. If a third-party script on your site has a vulnerability and you are not aware of it, you are unable to patch it – opening the door for an attacker or exploit.

In our F5 Labs research report we reported that 87% of web exploits were formjacking attacks utilizing Magecart and its variants. For most injection attacks, the goal was to place malicious skimmer scripts to harvest payment information. We also saw the diversity of malicious formjacking scripts grew 20x in 2021 with an increase in the variety of access, masquerading, and exfiltration techniques used. Also, we noticed a trend of repeat formjacking where many organizations were compromised by the same attack multiple times in succession, a strong indicator that criminals are manipulating poor processes and internal governance.

How do fraudsters perform formjacking attacks? 

A digital skimming attack occurs when a criminal either injects one or many malicious script(s) or manipulates an existing script on a legitimate page or application to create a software supply chain man-in-the-browser attack. These attacks are difficult to detect since these scripts are updated frequently by third parties often without a process for your organization to perform security reviews.

There are many ways fraudsters inject malicious scripts: criminals target weak or stolen admin credentials, compromise the host of third-party JavaScript files, and exploit vulnerabilities in web apps to inject code on web servers to corrupt legitimate scripts already on the page. For example, criminals target sites like GitHub to take ownership of projects to inject their malware, which then hides dormant until an updated version of the project is published.

What are the best practices for detecting formjacking?

Most of these attacks go undetected due to the lack of ongoing inspection and monitoring of third-party software. The best practices to detect digital skimming are:

  • Inventory audit: Start with creating an internal audit to inventory all legitimate scripts that are used, who owns and authorized them, what are they used for, and how they are maintained. Think of it as an SBOM (software bill of material) for your scripts. Be sure to include scripts added through tag managers.
  • Governance and processes: create a governance structure for adding, monitoring, and maintaining future scripts to assure the integrity of each script and clearly document why the script is necessary.
  • Least privilege access: remember many attacks are due to poor authentication and authorization controls – so consider least privilege access to scripts.
  • Monitor, detect and alert: establish the ability to monitor, detect, and alert when a new script is added, or an existing script is modified. Many of the previously used detection techniques, such as Sub-Resource Integrity (SRI) to conduct integrity checks to ensure a script was not tampered with, and Content Security Policy (CSP) to limit the locations browsers can load a script from and send data to, still have some value but are no longer sufficient to protect today’s constantly changing web and mobile apps. A more modern approach to detecting digital skimming attacks should include the detection of third-party potential compromises by examining JavaScript code and malicious network traffic generated. It should also include signature-based Magecart detection to quickly identify these types of attacks since the same attack methods are frequently reused for new targets.
  • Establish a rapid mitigation strategy: explore simple one-click mitigation strategies where you can quickly review script changes and alerts on an interactive dashboard with a tool that provides one-click mitigation to block network calls that exfiltrate data.

What can merchants do to minimize the risk of a successful formjacking attack?

To minimize risk, merchants need to first understand where all their properties are, and the scripts that are on those pages. You cannot secure your organization from an attack if you do not know what you are protecting. Merchants should minimize the number of scripts on all pages, most importantly their payment and checkout pages. Digital skimming has become such a large issue that the new PCI v 4.0 guidance recommends that organizations only include “required” scripts on the pages that collect PII and payment information.

Merchants should leverage this new PCI guidance coupled with new free tools industry stakeholders have stepped up to offer, such as Target’s Merry Maker, a free open-source tool, and F5’s free self-service formjacking mitigation tool called Client-Side Defense that allows organizations to quickly block attacks with one-simple click. (Free up to 1 million transactions per month.)

What should merchants do if they realize they are a victim of a formjacking attack?

If a merchant is a victim of a digital skimming attack, they should immediately implement the incident response plan they already have in place. Ideally, the plan is aligned with the NIST Cybersecurity framework, and includes actions such as:

  • Secure operations to quickly protect systems and fix vulnerabilities
  • Mobilize the breach response team to prevent additional data loss
  • Identify what data was compromised and what compliance regulations it falls under
  • Communicate to customers that may have been impacted
  • Conduct post incident assessment

Can you define the concept of a ‘supply chain ecosystem’ and provide an example?

Today’s software supply chain ecosystems are a complex network of applications, APIs (Application Programming Interfaces), people, processes, and tools that interact across the organization and digital properties.

The concept of a software supply chain ecosystem could be equated to a matryoshka doll where there are scripts embedded in scripts. This is the reason why the Log4j attack was so pervasive. Many organizations didn’t even know they had Log4j in their environments.

Software supply chain ecosystems almost always involve third-party code running on merchants’ sites – creating security and fraud risks for merchants and their customers. For example, on the checkout page there could be several scripts from different parties that connect to the numerous payment processors.

Where should merchants be looking for vulnerabilities in their supply chain ecosystem?

Supply chains simply do not work unless you have resiliency, and to have resiliency you need to understand the potential points of vulnerability. In supply chain management there is a concept called the Triple A Supply Chain–agility, adaptability, and alignment. Resilient supply chains must address the 3 A’s in order to easily adapt to disasters, disruptions, and fluctuating needs. However, the Triple A Supply Chain should also align with the “CIA triad” used in cybersecurity – confidentiality, integrity, and availability – to establish a truly effective defensive approach.

Merchants should be looking for vulnerabilities across their supply chain, this includes their people, processes, and technology, and must understand the potential areas of compromise each pose.

  • People – do you have the right level of access controls? Have your people been properly trained?
  • Process – do you have clearly documented processes for certifying, engaging, and monitoring third-party scripts?
  • Technology – do you have tools to inspect and detect when your site is being compromised?

What is the number one thing merchants can do to protect their supply chain ecosystem and prevent formjacking?

The number one thing merchants can do to protect their supply chain ecosystem is to conduct a security strategy assessment. It should include assessing risk and compliance, and evaluating existing security governance—including data privacy, third-party risk, and IT regulatory compliance needs and gaps mapped against business challenges, requirements, and objectives.

Some frameworks organizations could explore are the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). Both provide a straightforward overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks https://www.cisa.gov/publication/software-supply-chain-attacks along with a tool kit they can use https://www.cisa.gov/ict-supply-chain-toolkit.

This article was contributed by Angel Grant, Vice President of Security at F5

Tags: formjacking
TweetShareSend
Previous Post

The App Store stopped nearly $1.5 billion in fraudulent transactions in 2021

 Next Post

Apple Adds Buy Now Pay Later Option to Apple Pay Wallet
Next Post
Apple Adds Buy Now Pay Later Option to Apple Pay Wallet

Apple Adds Buy Now Pay Later Option to Apple Pay Wallet

Our Latest Reports

2023 Consumer Payments Survey Report

2023 Fraud Trends Report

2022 Chargeback Consumer Survey Report

Fraud Prevention Tactics that Enable Exceptional Customer Experience

Addressing Payment Fraud and The Customer Experience in 2022

2022 Fraud Trends Report

ATO Fraud In Retail Report

2022 Customer Experience Report

3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue

Digital Trust And Safety Report: Combating the Evolving Complexities of Payment Fraud

On-Demand Webinars

New Trends in The Payments Ecosystem

Balancing Customer Experience and Fraud Prevention: What’s the Secret?

Stopping Fraud Across the Customer Lifecycle

Addressing Payment Fraud and the Customer Experience in 2022

 

Get the 2023 Fraud Trends Report

Search Our Site

No Result
View All Result

Our Sponsors

Featured Directory Listings

  • Signifyd
  • Microsoft Dynamics 365 Fraud Protection
  • PayRetailers
  • Spotrisk
  • CB-ALERT
  • Corepay

Our Sponsors

Fraud Industry News

The ai Corporation extends collaboration with Shell to utilise cutting-edge Autopilot Machine Learning to protect Shell Card users from fraud

The ai Corporation extends collaboration with Shell to utilise cutting-edge Autopilot Machine Learning to protect Shell Card users from fraud

September 19, 2023
Sift Named a Leader in Fraud Detection, E-commerce Fraud Detection, and Risk-Based Authentication on G2

Sift Named a Leader in Fraud Detection, E-commerce Fraud Detection, and Risk-Based Authentication on G2

September 15, 2023
VISA Amends Its Dispute Management Guidelines for Merchants

Visa Research Highlights Emerging Fraud Schemes in Retail and eCommerce

September 15, 2023

Connect With Us

Quick Navigation

  • Home
  • News
  • Join Us
  • About Us
  • Contact Us
  • Advertise
  • Contribute
  • Privacy Policy

The Payments Media Network

Merchant Fraud Journal
Payments Review

Privacy Policy

Our Privacy Policy
Our Terms of Use

Resources

  • Articles
  • eCommerce Fraud Reports
  • eCommerce Fraud Webinars
  • Training and Certifications
  • Jobs Board
  • Associations and Non-Profits
  • Podcasts
  • Vendor Directory

Popular Posts

  • How Does Two-Factor Authentication (2FA) Work?

    How Does Two-Factor Authentication (2FA) Work?

    0 shares
    Share 0 Tweet 0

  • How to File a Claim With FedEx + What To Do If Claim is Denied

    0 shares
    Share 0 Tweet 0

  • How to Fight PayPal Chargeback Fraud

    0 shares
    Share 0 Tweet 0

  • The 7 KPIs of Fraud Prevention Success

    0 shares
    Share 0 Tweet 0

Featured Vendors

  • Signifyd
  • Microsoft Dynamics 365 Fraud Protection
  • PayRetailers
  • Spotrisk
  • CB-ALERT
  • Corepay

Download the 2023 Fraud Trends Report

No Result
View All Result
  • About Merchant Fraud Journal
    • Interested in Contributing or Guest Posting to Merchant Fraud Journal?
  • Advertise on Merchant Fraud Journal
  • Articles
    • Chargebacks
    • Fraud Prevention
    • Influencer Insights
  • Contact Us
  • Download Addressing Payment Fraud and Customer Experience Report
  • Download Chargebacks Consumer Survey Report 2022
  • Download Evolving Complexities of Payment Fraud Report
  • Download Fraud Prevention Tactics that Enable Exceptional Customer Experiences Report
  • Download Merchant Fraud Journal 2023 Fraud Trends Report
  • Download the 2020 Chargeback and Representment Report
  • Download the 2020 Merchant Fraud Journal Vendor Guide
  • Download the 2021 Fraud Trends Report
  • Download the 2022 Fraud Trends Report
  • Download the 2023 Consumer Payment Trends Report
  • Download the 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue Report
  • Download the MFJ 2022 Customer Experience Report
  • Download the MFJ ATO in Retail Report
  • Home
  • Job Dashboard
  • Join The Merchant Fraud Journal Community
  • Merchant Fraud Journal Advertising Agreement
  • MFJ Fraud Trends Report Giveaway
  • News
  • Post a Job
  • Privacy Policy
  • Resources
    • 2020 Chargeback Representment Guide for Merchants
    • 2020 Vendor Guide
    • 2023 Consumer Payments Survey Report
    • 3 Ways a Unified Chargeback Management and Fraud Platform Increases Revenue
    • Addressing Payment Fraud and the Customer Experience in 2022
    • Associations and Non-Profits
    • ATO Fraud In Retail Report
    • Balancing Customer Experience and Fraud Prevention: What’s the Secret?
    • Chargebacks Consumer Survey Report 2022
    • Digital Trust & Safety: Combating the Evolving Complexities of Payment Fraud
    • eCommerce Fraud Reports
    • eCommerce Fraud Webinars
    • Fraud Prevention Tactics that Enable Exceptional Customer Experiences
    • Fraud Prevention Training and Certifications
    • How to Build a Recession Proof Chargeback Prevention Strategy
    • How to Stop Fraud During the 2022 Holiday Season
    • Jobs Board
    • Merchant Fraud Journal 2023 Fraud Trends Report
    • Merchant Fraud Journal’s Fraud Trends 2020 Report
    • Merchant Fraud Journal’s Fraud Trends 2021 Report
    • Merchant Fraud Journal’s Fraud Trends 2022 Report
    • MFJ’s 2022 Customer Experience Report
    • New Trends in the Payments Ecosystem
    • Podcasts
    • Prevent High-Velocity Fraud Attacks During the 2021 Holiday Season
    • Stopping Fraud Across the Customer Lifecycle
    • Vendor Directory
    • Webinar – Addressing Payment Fraud and the Customer Experience in 2022
    • Webinar – Mitigating Fraud and Risk on the ACH Network
    • Win January Chargeback Disputes
  • Subscribed
  • Terms and Conditions

© 2021 Payments Media Solutions Canada Inc.

Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?