Skip navigation
online form.jpg Getty Images

Form Jacking: Why Your IT Shop Needs to Take It Seriously

Some exploits receive little press but can have big consequences. Form jacking is one of these exploits. Here's what you need to know.

IT security professionals have seen their fair share of overhyped attacks and exploits. They've probably also seen the opposite, too – exploits that receive relatively little press but need to be taken very seriously. Form jacking is such an exploit.

Form jacking is a technique by which attackers steal credit card numbers and other personal information – using a method that is roughly analogous to the way that credit card details are so often stolen in the physical world. One of the most common methods that thieves use to steal credit card numbers in the physical world is skimming. Skimming uses a small electronic device to steal a credit card number during an otherwise legitimate transaction. Skimmers are often placed on the card readers affixed to gas pumps. When customers swipe their credit card the transaction is completed in the usual way, but the card skimmer provides the thief with a copy of the customer’s credit card number.

The thing that makes this type of credit card theft so effective is that it may be quite some time before victims even realize that their account has been compromised. After all, the victim still has physical possession of their card, and the most recent transaction has been completed without incident, so the victim has no reason to suspect that anything is wrong. With the victim’s credit card number in hand, the thief can wait to either use or sell the credit card number.

Form jacking has many similarities to credit card skimming. The difference is that, rather than swiping their credit cards at a gas pump or at a retail point-of-sale terminal, victims use their credit card to make a purchase on a legitimate website. What neither the customer nor the site owner knows, however, is that the site has been compromised and any information that is entered during the checkout process is also being sent to a credit card thief.

Like the credit card skimming that happens in the physical world, the crime may go unnoticed for a period of time. The customer’s transaction is completed in the expected manner, and the site owner is essentially just an unwitting accomplice.

There are two main reasons why form jacking is such a serious threat to online businesses. The most obvious reason is that a business that suffers a data breach (a form jacking attack, in this case) is almost certain to lose a substantial number of customers.

The second, and potentially more serious, reason why form jacking is such a huge threat is that this type of data breach may be a GDPR (General Data Protection Regulation) violation. If a data breach exposes the personal data of European Union citizens, then GDPR can impose stiff financial penalties on the business, even if the business is not located in the European Union. GDPR fines can be as high as 4% of a company’s total global revenue.

Given the fact that a form jacking attack can cause an organization to suffer devastating financial damage, it is clearly in an organization’s best interest to prevent such an attack. This, of course, raises the questions of how a form jacking attack works and what you can do to stop it.

In a form jacking attack, the attacker inserts a small bit of code into a merchant’s shopping cart. This code essentially skims customer data and transmits it to the hacker. There are similar attacks that skim data from the customer’s device, but these are not true form jacking attacks since they target only a single person.

Thankfully, there are several things that you can do to avoid having your company’s site compromised by a form jacker. First, if at all possible, don’t use JavaScript. JavaScript obviously has its place, and you may not be able to get around using it, but try to avoid using JavaScript if you can. The most effective form jacking attacks (those against British Airways and Ticketmaster) involved malicious JavaScript code.

Another thing that you should do is to periodically verify your Web server’s permissions. Any folder containing code should be read-only. As a general rule, only databases should be read-write.

If your organization uses a commercial shopping cart application, then carefully scrutinize patches or new releases. It is conceivable that a well-connected attacker could infiltrate the company that makes the shopping cart software and insert malicious code directly to the software. This means that anyone who downloads and installs the latest version of the shopping cart software would be infected, without the attacker ever having to compromise their web server.

Finally, be aware of the outbound traffic flowing from your web server. More specifically, watch for any traffic that is attempting to use non-standard ports, and watch for a steady flow of traffic to an unexpected IP address. 

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.