Formjacking is used by cybercriminals to steal financial information from end users. Using formjacking, hackers have compromised trusted websites such as Newegg, British Airways and Ticketmaster.
Formjacking — a new name for a phenomenon that has been around since April 2000 —is the digital version of credit card skimming. Like modern credit card skimmers, formjacking is stealthy and hidden from sight.
How the Threat of Formjacking Began
Higher education IT managers, with their digital-native user community, have been seeing the effects of this type of attack for several years.
The attacks are widespread because multiple cybercriminal groups at work, all using similar code and techniques, operate under Magecart, named for the Magento e-commerce backend that was the first source of this type of attack.
There’s no reason to believe that the different groups are working in concert, but they are certainly learning from each other and using the same techniques to steal personal financial information.
Why Universities Should Be Concerned About Formjacking
Higher ed users are likely to be at higher risk for compromise because of their general comfort with the world of digital commerce. Students, faculty and staff combined tend to be younger and more connected, and their online shopping occurs across a wider spectrum of merchants.
With Magecart, it’s just a question of numbers: the more e-commerce sites one uses, the likelier it is that personal financial data will be stolen.
Another reason the number of sites compromised is so large is because Magecart employs a method of supply chain attacks, meaning the attackers don’t go after the main website itself, but rather a third-party supplier that has weaker security.
After all, the chatbot isn’t part of the payment card process, isn’t considered a part of the security infrastructure, and probably doesn’t even register as something to screen with a PCI audit.
What Solutions Are Available to Stop Formjacking on Campus?
Formjacking is a difficult problem to solve because it’s invisible to end users, and it’s hard to identify which websites are at risk. Other than telling students, faculty and staff to never buy anything over the internet ever again — which, of course, isn’t feasible — universities can’t offer much advice specific to formjacking.
Some credit card issuers offer a “virtual credit card” — a card number that works only for a limited time period or with a specific merchant — as a way to reduce the damage when a user’s credit card is stolen during an e-commerce transaction.
Many card issuers also link to smartphone apps, providing nearly instant information for each transaction. However, campus IT managers aren’t in the business of offering personal finance advice, in addition to information security advice.
Because many formjacking attacks use copycat techniques, about 400 indicators of compromise associated with Magecart have been identified and may be recognized by campus intrusion prevention systems and endpoint security tools.
Students who bring their own laptops and smartphones to school, especially those that use a cellular connection instead of the campus wireless network, are at the highest level of risk because they usually don’t have the university’s IT security protection loaded and don’t operate behind the campus firewall.