What is Formjacking?
Why is formjacking a cybersecurity risk, and not just a fraud risk?
Criminals are opportunistic. They are not just looking for vulnerabilities within your applications, they look for vulnerabilities in your organization, people, and processes. They know many organizations tackle application security and fraud prevention separately, operating in distinct silos. As a result, modern cybercrime operates in a grey area between security and fraud, and digital skimming is an attack that falls in that grey area.
Why are online forms vulnerable to attack?
Online forms are vulnerable to attacks because of supply chain ecosystem risks. As organizations expand their third-party ecosystem and the number of scripts on their site, they introduce new potential points of vulnerability. Most organizations do not have centralized control and governance over script management. If a third-party script on your site has a vulnerability and you are not aware of it, you are unable to patch it – opening the door for an attacker or exploit.
In our F5 Labs research report we reported that 87% of web exploits were formjacking attacks utilizing Magecart and its variants. For most injection attacks, the goal was to place malicious skimmer scripts to harvest payment information. We also saw the diversity of malicious formjacking scripts grew 20x in 2021 with an increase in the variety of access, masquerading, and exfiltration techniques used. Also, we noticed a trend of repeat formjacking where many organizations were compromised by the same attack multiple times in succession, a strong indicator that criminals are manipulating poor processes and internal governance.
How do fraudsters perform formjacking attacks?
A digital skimming attack occurs when a criminal either injects one or many malicious script(s) or manipulates an existing script on a legitimate page or application to create a software supply chain man-in-the-browser attack. These attacks are difficult to detect since these scripts are updated frequently by third parties often without a process for your organization to perform security reviews.
What are the best practices for detecting formjacking?
Most of these attacks go undetected due to the lack of ongoing inspection and monitoring of third-party software. The best practices to detect digital skimming are:
- Inventory audit: Start with creating an internal audit to inventory all legitimate scripts that are used, who owns and authorized them, what are they used for, and how they are maintained. Think of it as an SBOM (software bill of material) for your scripts. Be sure to include scripts added through tag managers.
- Governance and processes: create a governance structure for adding, monitoring, and maintaining future scripts to assure the integrity of each script and clearly document why the script is necessary.
- Least privilege access: remember many attacks are due to poor authentication and authorization controls – so consider least privilege access to scripts.
- Establish a rapid mitigation strategy: explore simple one-click mitigation strategies where you can quickly review script changes and alerts on an interactive dashboard with a tool that provides one-click mitigation to block network calls that exfiltrate data.
What can merchants do to minimize the risk of a successful formjacking attack?
To minimize risk, merchants need to first understand where all their properties are, and the scripts that are on those pages. You cannot secure your organization from an attack if you do not know what you are protecting. Merchants should minimize the number of scripts on all pages, most importantly their payment and checkout pages. Digital skimming has become such a large issue that the new PCI v 4.0 guidance recommends that organizations only include “required” scripts on the pages that collect PII and payment information.
Merchants should leverage this new PCI guidance coupled with new free tools industry stakeholders have stepped up to offer, such as Target’s Merry Maker, a free open-source tool, and F5’s free self-service formjacking mitigation tool called Client-Side Defense that allows organizations to quickly block attacks with one-simple click. (Free up to 1 million transactions per month.)
What should merchants do if they realize they are a victim of a formjacking attack?
If a merchant is a victim of a digital skimming attack, they should immediately implement the incident response plan they already have in place. Ideally, the plan is aligned with the NIST Cybersecurity framework, and includes actions such as:
- Secure operations to quickly protect systems and fix vulnerabilities
- Mobilize the breach response team to prevent additional data loss
- Identify what data was compromised and what compliance regulations it falls under
- Communicate to customers that may have been impacted
- Conduct post incident assessment
Can you define the concept of a ‘supply chain ecosystem’ and provide an example?
Today’s software supply chain ecosystems are a complex network of applications, APIs (Application Programming Interfaces), people, processes, and tools that interact across the organization and digital properties.
The concept of a software supply chain ecosystem could be equated to a matryoshka doll where there are scripts embedded in scripts. This is the reason why the Log4j attack was so pervasive. Many organizations didn’t even know they had Log4j in their environments.
Software supply chain ecosystems almost always involve third-party code running on merchants’ sites – creating security and fraud risks for merchants and their customers. For example, on the checkout page there could be several scripts from different parties that connect to the numerous payment processors.
Where should merchants be looking for vulnerabilities in their supply chain ecosystem?
Supply chains simply do not work unless you have resiliency, and to have resiliency you need to understand the potential points of vulnerability. In supply chain management there is a concept called the Triple A Supply Chain–agility, adaptability, and alignment. Resilient supply chains must address the 3 A’s in order to easily adapt to disasters, disruptions, and fluctuating needs. However, the Triple A Supply Chain should also align with the “CIA triad” used in cybersecurity – confidentiality, integrity, and availability – to establish a truly effective defensive approach.
Merchants should be looking for vulnerabilities across their supply chain, this includes their people, processes, and technology, and must understand the potential areas of compromise each pose.
- People – do you have the right level of access controls? Have your people been properly trained?
- Process – do you have clearly documented processes for certifying, engaging, and monitoring third-party scripts?
- Technology – do you have tools to inspect and detect when your site is being compromised?
What is the number one thing merchants can do to protect their supply chain ecosystem and prevent formjacking?
The number one thing merchants can do to protect their supply chain ecosystem is to conduct a security strategy assessment. It should include assessing risk and compliance, and evaluating existing security governance—including data privacy, third-party risk, and IT regulatory compliance needs and gaps mapped against business challenges, requirements, and objectives.
Some frameworks organizations could explore are the Cybersecurity & Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST). Both provide a straightforward overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks https://www.cisa.gov/publication/software-supply-chain-attacks along with a tool kit they can use https://www.cisa.gov/ict-supply-chain-toolkit.
This article was contributed by Angel Grant, Vice President of Security at F5