Formjacking, a newer way of stealing personal data online

Cyber Security Awareness Month is in full swing; social media is buzzing with extremely helpful content and resources, mostly of which is free to help businesses and individuals gain and stay in control of their digital worlds. As the saying goes, “you learn something new every day,” or you should. Through social media related to #NCSAM, #cybersecurityawarenessmonth and #BeCyberAware, I heard about a newer way hackers are stealing data - formjacking.

I knew the term “jacking” meant stealing, but combing it with the word “form,” it could mean a variety of things, so I reached out to my friends at the Security Industry Association (SIA) for some guidance.

“Formjacking is the injection of malicious code into a seemingly trustworthy website form that relays a copy of the field inputs to an attacker,” Joe Gittens, director of standards, SIA, explained. “In these cases, the victim's transaction with the trust source is not interrupted; however, information from the from, which could include sensitive data, is relayed to the attacker.”

That literally gave me chills. I can't speak for you, but I know I have filled out at least hundreds of forms in my digital life; reflecting back over my past 20 years, there's no telling what data I've shared. And, with formjacking, here's the kicker - there are no red flags for the average online user to look for.

“Unlike with spoofing and phishing, there are very few tell-tale signs that a form has been compromised,” Min Kyriannis, head, technology business development, Jaros, Baum & Bolles and member of SIA's Cybersecurity Advisory Board. In fact, the only way to detect formjacking is looking at the code, “and, unless you're trained, it's hard to detect,” Gittens said.

It looks like the regular, every day Joe who is going online and filling out forms has absolutely no way of knowing his data could be at risk, although end users can self-sabotage through installing browser plug-ins, Gittens said. Therefore, it's mainly up to the company behind the online form to ensure people and their data are protected.

“Companies need to ensure that all software, plug-ins and any third-party applications or extensions have been vetted and check for vulnerabilities,” Kyriannis advised. “These need to be continuously checked, since software is constantly being updated.”

It amazes me how smart cybercriminals/hackers truly are, and it's important to never underestimate them. Think about it in these terms: once a threat is recognized and identified by the “good guys,” the “bad guys” have already moved on “looking for more covert ways to harvest data,” Gittens said, in a way that's the “easiest to hide and what's most lucrative” for them,” added Kyriannis.

Gittens identified partner trust as key and noted that formjacking can and has affected large and mom-and-pop institutions. “Just like with other attacks, understanding exactly what type of privileges a third-party service has on your website or your browser and only allowing the most trusted services into your ecosystem can help protect you and your business. Also, be careful about what types of information you are collecting in forms in case you are attacked. If you don't have to collect sensitive data, don't do it - contract a trusted third party to perform the transaction for you who has better security protocols in place and can provide you and your customers with assurances. The SIA Cybersecurity Advisory Board will soon look to provide guidance on how security stakeholders can foster more trust within the device�and application ecosystem.”

Kyriannis concurs that trust is key, but “people with malicious intent will always find new ways to sneak under the radar. The industry must lead in bringing awareness to their clients, customers, etc., and self-awareness is critical - for end users, that means setting up security parameters for themselves,” such as tagging credit cards to constantly monitor charges.

Formjacking Key Takeways

1. Any and all information shared via an online form is at risk of being stolen.
2. The only way to detect formjacking is to look at the code.
3. Ensure software, plug-ins and any third-party applications or extensions have been vetted and regularly check for vulnerabilities.
4. Understand the exact privileges a third-party service has on your website/browser.
5. If you don't have to collect sensitive data, don't.
6. Set up security parameters for yourself.