“Formjacking” soars as hackers hit consumers at checkout

Online forms such as login pages and shopping baskets are increasingly being hijacked by cybercriminals hunting for personal financial information (PFI), according to new research from F5 Labs.

F5 Labs’ Application Report 2019 examined 760 breach reports and discovered that formjacking, which siphons data from the customer’s web browser to an attacker-controlled location, remains one of the most common web attack tactics.

F5 Labs data discovered that the method was responsible for 71% of all analysed web-related data breaches throughout 2018.

“Formjacking has exploded in popularity over the last two years,” said David Warburton, Senior Threat Evangelist, F5 Networks.

“Web applications are increasingly outsourcing critical components of their code, such as shopping carts and card payment systems, to third parties. Web developers are making use of imported code libraries or, in some cases, linking their app directly to third party scripts hosted on the web.  As a result, businesses find themselves in a vulnerable position as their code is compiled from dozens of different sources – almost all of which are beyond the boundary of normal enterprise security controls. Since many web sites make use of the same third-party resources, attackers know that they just need to compromise a single component to skim data from a huge pool of potential victims.”

Breach data examined by F5 Labs found that 83 incidents in 2019 were attributable to formjacking attacks on web payment forms, impacting a total of 1,396,969 payment cards.

In terms of successful attacks, 49% occurred in the retail industry, 14% were related to business services and 11% focused on manufacturing. The transport industry was the biggest victim of formjacking attacks specifically targeting personal finance information, enduring 60% of all credit card-related theft during F5’s window of analysis.

While injection vulnerabilities are not new, F5 Labs believes that it remains a growing and evolving problem as shifting industry trends rapidly prompt new risks and the widening of attack surfaces.

According to the Exploit Database, 11% of newly discovered exploits in 2018 formed part of a formjacking attack chain, including remote code execution (5.4%), arbitrary file inclusion (3.8%) and remote CMD execution (1.1%).

“The injection landscape is transforming along with our behavior,” said Warburton. “Adequately detecting and mitigating injection flaws now depends on adapting assessments and controls – not just fixing code. The more code we hand over to third parties, the less visibility and less control we have over it.”

To safeguard operations, F5 Labs recommends:

  • Creating a web inventory of web applications. This should include a thorough audit of third-party content. The process is complicated by third parties usually linking to additional websites and a tendency for substandard security controls.
  • Patching your environment.  While patching won’t necessarily fix flaws in third party content, it makes it harder to escalate from an initial foothold to substantive compromise. Since web injection is such a versatile technique, it is still critical to patch applications running in your own to prevent damage from compromised third-party assets.
  • Vulnerability scanning. For years, CISOs have recognised the importance of running external scans to get a hacker’s eye view of the situation. This becomes even more important when huge quantities of content are assembled on the client side at the last minute.
  • Monitoring for code changes. Regardless of where code is hosted, it is important to gain an more visibility – irrespective of whether new vulnerabilities are emerging or not. This means monitoring GitHub and AWS S3 buckets, as well as native code repositories.
  • Multifactor authentication. Multifactor authentication should be implemented on any system connecting to high-impact assets as injection is often used to bypass authentication to access web server code. Ideally, application-layer encryption can also supplement TLS/SSL to maintain confidentiality at browser level.  Many well-known web application firewall (WAF) products have this capability. However, an Advanced WAF can offer enhanced levels of application-layer visibility and control to help mitigate distributed and polymorphic injection risks.
  • Exploring the potential of server software tools. For example, it is possible to set up a Content Security Policy (CSP) to block unauthorised code injections into a website or application. In addition, SubResource Integrity (SRI) web methods can verify that third party apps have not been altered.  Both tools require work to properly fit to a web application. This is where a robust, flexible WAF comes in.

“Increasingly, organisations will begin to manage web injection risks in the form of security-oriented service level agreements,” added Warburton. “The mitigation methods recommended in the Application Protection Report 2019 are a good start, but it is vital to keep pace with morphing attacker mindsets and capabilities.”

[1] For more information on monitoring domains, see David Warburton’s article on certificate transparency.