Formjacking 101: The Complete Guide

A Step-by-step Guide to Preventing Formjacking Attacks
Share article
twitter linkedin medium facebook

With over 4,800 unique websites compromised on average every month, formjacking is a simple and effective type of cyber attack that somewhat slips under the radar compared to ransomware or other cyber attacks that attract news coverage.

In an eCommerce market expected to reach $7.3 trillion by 2025, customers continue to purchase products online in their droves in addition to paying for subscription services. Taking advantage of this, threat actors are deploying tactics to steal credit card details from unknowing customers while they shop online. 

What is formjacking?

Formjacking is a type of cyber attack that steals credit card details by inserting malicious JavaScript code into online payment forms. The malicious code operates stealthily in the background on a payment form web page; these pages are often served to the buyer from a third-party payment processing company.

Victims enter their card details and complete online transactions as normal. A copy of the card details gets sent to a malicious party without the victim being aware of anything suspicious happening. 

For threat actors, each stolen card can earn $45 on the dark web, which quickly adds up to a lucrative payday when you consider that thousands of cards often get stolen during a single breach. For businesses selling products or services online, stolen customer card details can result in reputational, financial, and legal costs, specifically related to regulations like PCI and GDPR. This article provides a step-by-step guide to help your business prevent formjacking attacks. 

Formjacking, magecart, and everything in between

Web skimming is an alternative name for formjacking that reflects how these attacks resemble virtual versions of physical card skimming. Instead of a device that captures card details at an ATM, malicious web forms operate as the virtual web skimmers in today’s digital landscape

Sometimes, media reports on formjacking incidents refer to them as “Magecart attacks.” Magecart is actually a syndicate of threat actors that target retailers with web skimming attacks. This syndicate has previously hit some high-profile victims, including Ticketmaster and British Airways. The group’s name stems from its initial focus on compromising the Magento eCommerce platform as far back as 2016. Magecart threat actors now target many different platforms and sites beyond just Magento. 

How to prevent Formjacking: Recommended Steps to Prevent Formjacking Attacks 

Here are some actionable, recommended steps your business can take to protect against the threat of formjacking attacks. 

Step 1: Automate penetration tests and vulnerability scans

Current approaches to penetration testing and vulnerability scans are too reactive to prevent formjacking attacks. Many businesses carry out these tests and scans every month or worse still, every six months to one year.

A proactive and preventative approach to penetration testing and vulnerability scanning quickly identifies areas of risks in eCommerce platforms, web applications, or third-party software. You need to find and fix problems before threat actors exploit them in an effort to skim customer card details. To achieve a proactive and preventative approach, software or SaaS solutions that automate much of the work involved in penetration tests or vulnerability scans can prove an invaluable investment

You don’t need to rely solely on automation, but you do need to incorporate it if you want to get on top of the formjacking threat. A SaaS or software solution can continuously look for vulnerabilities in your client-side eCommerce store, while manual penetration testing can unearth other areas of risk or vulnerabilities.

Get a free website formjacking vulnerability scan

Step 2: Fix your vulnerabilities as soon as you find them

Up to 83 percent of security operations professionals feel frustrated by alert fatigue. Constantly bombarded with alerts about different risks and threats from multiple tools, security professionals often struggle to prioritize what they need to remediate. 

Web app vulnerabilities actively being exploited in the wild represent huge risks for any business that takes payment from customers online. Automating tests and scans brings vulnerabilities to your attention faster, but you still need to fix them promptly. Slow remediation is a deep-seated problem evidenced by the fact that organizations were still becoming victims of the WannaCry ransomware over four years after Microsoft released a patch for it.

Step 3: Rigorously test website updates before launching them on the web

Businesses running eCommerce stores regularly update their websites to add new features, plugins, update products, or change the design. While customers and marketing teams appreciate these changes, threat actors understand that any new update comes with a potential security loophole they can exploit. As stores of private data and places where people fill in forms with their credit card details, websites and web apps are prime targets of cyber attacks. 

It’s critical before launching any website update into a production environment that you conduct thorough security testing. This testing can include automated tools and manual processes. Web forms and third-party payment processors should be thoroughly checked for any vulnerabilities introduced by new website updates. 

Steps to Prevent Formjacking Attacks

Step 4: Leverage AI to improve your monitoring of behavioral patterns

Artificial intelligence continues to demonstrate its usefulness across a wide spectrum of cybersecurity areas. Of particular benefit in preventing formjacking are machine learning solutions that improve their performance over time in recognizing patterns of user behavior and traffic.

By monitoring your web app and establishing baseline levels of normal and secure activity, machine learning solutions can identify anomalies that indicate data being sent to servers that it shouldn’t be sent to.

Step 5: Block suspicious patterns and apps that may cause damage to your system

AI-powered behavioral monitoring and other behavioral analytics technology provide advanced threat intelligence about what’s happening in your website ecosystem. Just as important is the ability to quickly block suspicious traffic, users, third-party code, or IP addresses quickly before damage is done and data is stolen. The ability to block suspicious patterns and apps quickly starts with a solid incident detection and response process that finds and remediates threats throughout the cyber attack chain.

That’s why it’s important to gain visibility into your website’s blind spots – that is, which applications are connected to it, what data are users accessing, and where is that data being sent to. Mapping these three components  for every single website asset will allow you to efficiently eliminate third-party security risks and vulnerabilities.

Step 6: Go beyond scanning your own website

Today’s websites are complex IT ecosystems with multiple third-party dependencies. These dependencies include online payment software integrated with the site, marketing analytics software that uses JavaScript on a site’s pages, online CRMs, data warehouses, and public cloud systems

Many successful formjacking attacks are actually supply chain attacks, because they exploit vulnerabilities in third-party code used by a website or web application. Scanning your own site and getting security right is just one part of the equation. You need to go beyond traditional security measures and start to verify the security of all third-party dependencies and components integrated with your site. 

There is a real need for greater visibility into third-party risks in client-side web applications. The average eCommerce site uses 40-60 third-party technologies and even many more scripts, and businesses ignore these risks at their peril. A solution that provides ongoing monitoring and tracking of third-party ecosystems is essential for securing modern websites against supply chain attacks

Start prevention today: discover how vulnerable your site is, for free 

The threat of formjacking is not going away any time soon. With high levels of demand for stolen credit card details on the dark web and increasingly unsecured third-party ecosystems on eCommerce websites, threat actors like Magecart will continue to target web forms. 
Following the steps outlined above will help your business prevent formjacking. But to take one extra step towards reducing your external attack surface and prevent formjacking attacks, you can start with a free website formjacking vulnerability scan.


What is formjacking?

Formjacking is a cyber attack method wherein malicious JavaScript code is inserted into online payment forms to illicitly acquire credit card details.

What is an example of a Formjacking attack?

An example of a Formjacking attack is when a cybercriminal injects malicious JavaScript code into the payment processing page of an e-commerce website. This code is designed to capture and transmit sensitive information, such as credit card details, entered by unsuspecting users during the online checkout process. The attacker can then use this stolen information for fraudulent activities or sell it on the dark web. Formjacking attacks can compromise the security of numerous users who make transactions on the affected website.

How do you protect against Formjacking?

Protecting against Formjacking involves implementing proactive measures. Utilize Web Application Firewalls (WAF) to detect and block malicious code injections, conduct regular security audits, and ensure secure payment gateways. Implement Content Security Policy (CSP) headers, monitor for anomalies, educate users on safe practices, and keep all software updated to patch vulnerabilities. By adopting these strategies, you can enhance your defenses and mitigate the risks associated with Formjacking attacks.

Subscribe to our newsletter

Stay updated with the latest news, articles, and insights from Reflectiz.

Your Website looks great!

But what’s happening behind the scenes?

Discover your website blind spots and vulnerabilities before it’s too late!

Try for free