[BreachExchange] New Formjacking Technique Used to Skim Payment Details Off Websites

[Destry Winant]

https://www.cbronline.com/news/symantec-formjacking

“In recent months, we have seen a major uptick in formjacking attacks
against high-profile websites across the globe”

Researchers at cybersecurity company Symantec have identified a new
formjacking campaign targeting a French ecommerce site that is
prominently featured in global shopping aggregator listings.

Over 30 online retail websites from all over the world were
redirecting traffic to the compromised site.

Formjacking is a term used to describe the injection of JavaScript
code into the payment section of a website. This code then skims the
payment details of unaware customers sending it onto to threat actors
to abuse.

The online-store in Paris was injected with a formjacking script which
collects the payment information entered onto the website and then
sends it to the domain google-analyitics.org; a “typo-squatted”
version of the genuine url google-analytics.com.

Another piece of injected code on the same web page looks for the
presence of debugging tools, such as Firebug, to thwart security
researchers analysing the malicious script; a trend security
researchers have increasingly noticed.

Siddhesh Chandrayan Threat Analysis Engineer at Symantec wrote: “This
latest formjacking campaign highlights the fact that attackers are
continuously altering and improving their malicious code and exploring
new delivery mechanisms to infect more users.”

Symantec researchers say they have identified more than one million
formjacking attempts on over 10,000 websites in the last three months
alone.

Symantec told Computer Business Review that the scammers had also
hacked other ecommerce websites to redirect visitors to the
compromised site.

He believes that the Paris site was selected as a target because it is
listed in several shopping aggregators.

Formjacking

Traditionally attackers have targeted retail websites through the
software provided by third-parties, as these often contain the weak
link in the security chain.

Last summer it was disclosed that Ticketmaster was the subject to a
serious cyberattack in which threat actors made off with the payment
details of over 40,00 UK customers. A chat-bot designed by third-party
supplier Inbenta was identified as the source of the vulnerability.

A report from cybersecurity enterprise RiskIQ identified Magecart
tactics and script in the attack, which saw a massive credit card
skimming operation that affected over 800 e-commerce websites.

In their report RiskIQ noted that: “Magecart actors breached their
systems (Ticketmaster) and, in separate instances, either added to or
completely replaced a custom JavaScript module Ibenta made for
Ticketmaster with their digital skimmer code.”

Unfortunately one of the key factors in formjacking or script payment
skimming attacks is that retailers and customers may not be aware that
their website and details are compromised. Websites and payment forms
operate as normal if the attackers have done their job right.

One way enterprise can protect themselves is to test any new software
updates in small test environments. Doing so gives you a chance to
spot any unusual behaviour in the script.Software distributors who
supplier major retailers with products should have monitoring systems
in place that detect any changes in their code or in the updating
process itself. Symantec is currently working with the websites
involved in this new formjacking attack and so they have not named the
websites affected.