It has been reported that thousands of websites are being hit by cyber-thieves who implant code to scope up payment card numbers. Security giant Symantec found more than 4,800 websites were being hit by these “form-jacking” attacks every month. They were now inserting “attack code”, either when sites failed to update core software to close loopholes or via insecure third-party apps, such as chat apps, analytics packages or other extras. High-profile victims of these attacks include airline BA and Ticketmaster.
Experts Comments below:
Oscar Tovar, Vulnerability Verification Specialist at WhiteHat Security:
“Formjacking is growing in frequency and scope. Looking at a few of the big formjacking attacks last year at companies like British Airways and Ticketmaster, these are reminders that even airline and ticket sales companies are now tech companies–and need to implement security as such. So, what can be done to prevent these attacks? Security training and education, along with IT and Ops teams partnering with security to understand and prioritize how to mitigate risk are essential. Applying patches to applications immediately – not months after they become available – and making security testing a part of the entire lifecycle of an application are also critical.
Every single company that touches sensitive data needs to make security a consistent, top-of-mind concern and view the whole IT estate as a vulnerable asset that needs to be secured. This means protecting APIs, network connections, mobile apps, websites, databases – these are all points of entry that need to be secured. Looking at this through the lens of an application security vendor, our goal is to make the internet safer by securing the applications that are driving today’s business. While we’re concerned about all of the various new ways cybercriminals might go on the attack, there’s a lot that can be done to go on the offensive, and securing applications is a big part of a great offensive and defensive strategy.”
Matt Aldridge, Solutions Architect at Webroot:
“New tactics emerge every day and what’s interesting about ‘form-jacking’ is the stealth approach. Similar to cryptojacking, cyberattackers just insert the code then sit back and wait for the payoff. From a user perspective, it is not always possible to detect this attack, so it may elude even the most vigilant. The onus is on web site owners to carefully validate all of their site’s dependencies and to monitor for changes and new version updates. Evidence of penetration testing of third party components should also be checked and retailers should only work with third parties that follow security best practices and compliance.
The real problem here is that consumers are forced to reuse credit card numbers for online purchases. Instead, they should be issued with single use card numbers by their credit card companies. Eventually this should be replaced by a new secure system similar in operation to Apple Pay, where the payment token can’t be used more than once or by more than one merchant.
A collaborative approach between retailers and financial institution is critical to effectively protect payment data as card providers are able to spot unusual spending activity on compromised cards and link this accurately back to a common breached source. However, until the payment mechanisms themselves are properly secured there will always be threat actors trying to steal the multi-use payment data.”
Steve Nice, Chief Security Technologist at Node4:
“It’s not surprising form-jacking attacks are on the rise, as in a short period of time, criminals can obtain credit card details by exploiting poor security on web servers to include form-jacking scripts. With organisations as large as British Airways and Ticketmaster falling victim to these types of attacks, companies relying on e-commerce will rightly be concerned. It’s time for all internet retailing vendors to check their defences, no matter how large or small they are. To do this it is crucial that they carry out penetration testing to discover where the weaknesses are and bolster these rather than throwing money at huge security infrastructures before knowing the holes in their defence.”
Naaman Hart, Cloud Services Security Architect at Digital Guardian:
“The onus here is very much on the companies affected to secure their websites to prevent them being hijacked for this purpose. As the consumer, without any detection mechanism, you would be very hard pressed to know if these sites were compromised. To protect yourself it would be wise to use a third-party payment provider such as Paypal where your details are obscured. You never enter them into the individual website and the redirect to Paypal handles the sharing of information at the backend which is far more difficult for hackers to scrape. Redirects to a fake Paypal are possible but you’d then have the ability to check for valid certificates etc. Whereas when code is injected into sites such as BA and Ticketmaster, the URL and certificate are still genuine so they’re hard to detect.”
Sundeep Tengur, Senior Business Solutions Manager at SAS:
“Symantec’s figures about the rise of form-jacking demonstrate how easily payments fraud can slip through the cracks. Fraud-related attacks can be very small-scale at the front end, but then lead to huge losses and affect thousands of customers.
“Companies must ensure that they have powerful anti-fraud measures in place capable of detecting aberrations before they cause serious damage. For example, AI and advanced analytics can give companies the ability to process vast amounts of payment data quickly and detect potentially fraudulent activity. And by implementing machine learning, companies can ensure their systems become more accurate over time.
“As the amount of relevant data increases, humans simply can’t keep up – AI-powered fraud prevention can help relieve the burden and increase the accuracy of spotting fraud. And as fraudsters become more well-equipped and use more advanced techniques, business needs to make sure it stays ahead of the curve.
“AI provides the tools to keep businesses and their customers safer from fraud.”
Igor Baikalov, Chief Scientist at Securonix:
“As traditional attack methods, such as ransomware and mining cryptojacking, are becoming less profitable, cybercriminals are turning to formjacking as a new way to make money and the technique to proving to be very successful. These attacks are very hard to identify, and it is unlikely a visitor to a formjacked website would be able to tell it is compromised.
Too many web developers worry more about stylish design and pretty pictures than code integrity and security. If the website accepts payment cards, it has to be held responsible for secure processing of card information – PCI Compliance is there for a reason, and should be enforced.
Although, there are steps website owners can take. These includes monitoring all updates to websites and ensuring they are legitimate as well as ensuring all systems are up to date with the latest security patches and having a good antivirus software installed.”