Sep 03 2019

Formjacking: What Is It, and How Can You Protect Your Users?

Students, faculty and staff are vulnerable to a new form of virtual card skimming, which means IT leaders must stay vigilant.

Formjacking is used by cybercriminals to steal financial information from end users. Using formjacking, hackers have compromised trusted websites such as Newegg, British Airways and Ticketmaster

Here’s how it works: When end users enter their payment information, a malicious JavaScript running in their browser sends an extra copy of the information to a server controlled by the attacker

Formjacking — a new name for a phenomenon that has been around since April 2000 —is the digital version of credit card skimming. Like modern credit card skimmers, formjacking is stealthy and hidden from sight. 

MORE FROM EDTECH: Check out how universities use advanced solutions to combat security threats.

How the Threat of Formjacking Began

Higher education IT managers, with their digital-native user community, have been seeing the effects of this type of attack for several years.

Symantec, in its February 2019 Internet Security Threat Report, estimates that nearly 5,000 websites were compromised by an attack scheme called Magecart every month in 2018

The attacks are widespread because multiple cybercriminal groups at work, all using similar code and techniques, operate under Magecart, named for the Magento e-commerce backend that was the first source of this type of attack. 

There’s no reason to believe that the different groups are working in concert, but they are certainly learning from each other and using the same techniques to steal personal financial information.

Why Universities Should Be Concerned About Formjacking

Higher ed users are likely to be at higher risk for compromise because of their general comfort with the world of digital commerce. Students, faculty and staff combined tend to be younger and more connected, and their online shopping occurs across a wider spectrum of merchants

With Magecart, it’s just a question of numbers: the more e-commerce sites one uses, the likelier it is that personal financial data will be stolen. 

Another reason the number of sites compromised is so large is because Magecart employs a method of supply chain attacks, meaning the attackers don’t go after the main website itself, but rather a third-party supplier that has weaker security. 

For example, if a customer service chatbot, supplied by a third party, is embedded in an e-commerce site, that’s probably the weakest link. Magecart may find it easier to compromise the chatbot to load their malicious formjacking JavaScript, which then gives them access to every e-commerce site, large or small, that uses that chatbot. 

After all, the chatbot isn’t part of the payment card process, isn’t considered a part of the security infrastructure, and probably doesn’t even register as something to screen with a PCI audit. 

But because the chatbot is part of the web page downloaded by the user’s browser, it can be a conduit for the formjacking JavaScript. 


What Solutions Are Available to Stop Formjacking on Campus?

Formjacking is a difficult problem to solve because it’s invisible to end users, and it’s hard to identify which websites are at risk. Other than telling students, faculty and staff to never buy anything over the internet ever again — which, of course, isn’t feasible — universities can’t offer much advice specific to formjacking. 

Some credit card issuers offer a “virtual credit card” — a card number that works only for a limited time period or with a specific merchant — as a way to reduce the damage when a user’s credit card is stolen during an e-commerce transaction. 

Many card issuers also link to smartphone apps, providing nearly instant information for each transaction. However, campus IT managers aren’t in the business of offering personal finance advice, in addition to information security advice.

Because many formjacking attacks use copycat techniques, about 400 indicators of compromise associated with Magecart have been identified and may be recognized by campus intrusion prevention systems and endpoint security tools. 

Students who bring their own laptops and smartphones to school, especially those that use a cellular connection instead of the campus wireless network, are at the highest level of risk because they usually don’t have the university’s IT security protection loaded and don’t operate behind the campus firewall. 

Keeping faculty and staff security tools updated — and encouraging students to add these protections if they don’t already have them — will help block malicious JavaScript or the upload of the stolen financial data, if the attack truly is a copycat.

Nattakorn Maneerat/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT