ISTR 2019: Cyber Skimming Payment Card Data Hits the Big Time

During the past few years, we’ve seen alarming instances of nation states using cyber intrusions to sow political discord, infect critical infrastructure, and steal military, government and enterprise secrets. As we grapple with the escalation and ramifications of global activity across this virtual battlefield, it’s important to remember one persistent reality: many cyber criminals are just in the game to make a buck.

One splashy way to cash in online, of course, is to use ransomware to encrypt data and hold it hostage until the victims pay you off. As noted in a recent post, however, although ransomware remains a major threat, Symantec actually tracked an overall decline in this form of attack during 2018 in their annual ISTR report.

Meanwhile, a different money-making exploit showed a significant uptick last year. Formjacking, while by design less attention grabbing than ransomware, is becoming a pervasive form of money-making attack.

Formjacking is the name Symantec uses to label a cyber attack often called web skimming. In essence, this type of attack is a cyber variant of physical credit card skimming devices, which thieves insert in card readers at sites ranging from ATM machines to gas station pumps. When a customer inserts his or her card, the skimming device captures the sensitive information it contains.

In the formjacking instantiation of this technique, cyber thieves use different methods to infect eCommerce websites with malicious JavaScript code. When consumers load, fill out and submit a check-out form from an infected website, a copy of the payment form data, including credit card details, is sent to the attackers’ servers.

There were several high-profile formjacking attacks that came to light during 2018. (Some attacks were likely initiated earlier, but only discovered last year after they had successfully collected payment card data over extended periods.) 

While these and a few other big corporation attacks made the news last year, formjacking has become an extremely widespread phenomenon. An average of 4,818 unique websites were compromised by formjacking each month during 2018, according to Symantec’s annual Internet Security Threat Report (ISTR). Throughout the year, Symantec blocked more than 3.7 formjacking attempts against websites that were protected with its Intrusions Protection System (IPS) technology, according to Brigid O’Gorman, a senior information developer with Symantec Security Response.

As suggested by the huge numbers of attacks, formjacking isn’t limited to only big-name victims. To get a better sense of the sites targeted, Symantec investigated 1,000 instances of formjacking attacks that it blocked during a three-day period from September 18-20, 2018.

The 1,000 attacks impacted 57 individual websites, Symantec found. Most were online retail sites, ranging from niche market players to large retailers. Among the sites targeted: a fashion retailer in Australia, a supplier of outdoor accessories in France, and a fitness retailer in Italy.

Clearly, formjacking is a global, equal-opportunity cyber plague. Smaller eCommerce sites should understand that their size alone won’t protect them from this form of attack.

As for the attackers themselves, most are identified with the “Magcart” label. Rather than a single, cohesive group, however, Magcart seems to consist of a number of independent groups that sometimes even compete with one another. It makes sense that the formjacking community may be fairly diverse and fragmented, since it’s relatively easy and inexpensive to purchase attack kits on the dark web to execute this type of assault.

Attackers can use a variety of methods to introduce their code to eCommerce websites, including direct exploits against any vulnerabilities in the sites’ own coding. There are indications, however, that formjacking criminals are increasingly looking to distribute their malware by injecting it into third-party software and services that, in turn, are used by a large number of websites.

Supply chain targets of this type can include everything from third-party chatbots to software that performs web analytics or web management functions. In fact, the source of one formjacking breach turned out to be an Inbenta chatbot on which the JavaScript malware was piggybacking.

The economic rationale behind the high volumes of formjacking attacks is straightforward enough: according to Symantec’s ISTR, criminals can sell payment card information on the dark web for anything from 50-cents to $45 per stolen card. Be it with a large attack, or via an aggregation of smaller-company breaches, the formjacking payoffs can be substantial.

With the proper protections, websites can defend against formjacking injections – as shown by the 3.7 million attacks that Symantec repelled during 2018. Still, eCommerce site operators must remain hypervigilant against this form of attack, especially given the risk of infected software and services coming from otherwise trustworthy supply chain partners. All website code, whether homegrown or third-party, must be scrutinized for formjacking malware before being introduced to operational websites.