'Formjacking' scams are high on fraudsters' holiday wish lists

Register now

Cybercriminals are building a house of horrors with sticky spider webs for those shopping, booking hotels, airline tickets or buying Christmas decorations online.

The latest scam awaiting is known as formjacking. With this attack, cybercriminals find a vulnerability in the company’s system and inject Java code into the website forms.

Most often, those are checkout or payment forms on e-commerce sites. Then, when the victims submit their data (for example, credit card information and email address) to purchase something, this information is transferred to the attacker's servers. The victim doesn’t realize until much later, when that information is used for a shopping spree.
This type of technique has been used to hack several companies recently, including British Airways, Newegg and Feedify. The number formjacking attacks more than doubled from August to September, according to Symantec Security Researchers.

This rampage of attacks is attributed to the Magecart Group, which has been operating since 2015. However, since finding this working formula, the group has been hitting what researchers think are more than 800 e-commerce sites. Magecart has gone so far as to design look-alike web domains masquerading as the real thing to trick users.

That is only one of many types of ways customers can get tricked this holiday season. Other top scams making the rounds according to the Federal Trade Commission are: Medicare, utility, Social Security and vacation rental scams, to name a few. Often times scams start with a phishing email designed to lure unsuspecting consumers to a fake domain to steal their credentials, passwords, accounts logins and more. These emails give prompts to collect information that normally seem easy and painless, until the bill for a water motorbike you never bought comes in the mail.

To protect from these types of attacks, online companies should monitor any changes occurring on their websites and employ passive biometrics technologies to detect and block suspicious behavior. Businesses should control the code that executes on their website, as this can come from a legitimate aggregation service or from a fraudster trying to make a profit.

Using passive biometrics, companies identify customers by their online behavior, which flags any suspicious activity such as formjacking, instead of relying on stolen credentials, devices, passwords or other legitimate data that has been sold on the dark web. An added benefit: Cybercriminals can’t replicate inherent human behavior, making the data they steal valueless.

For reprint and licensing requests for this article, click here.
Payment fraud Security risk Retailers Authentication ISO and agent