Formjacking Takes Off (And The Rest Of The Week In Sizzles And Fizzles)

Sizzle Fizzle

While there is much negative to be said about cybercriminals, one can’t accuse hackers and cybercriminals of being uncreative in their methods.  As phishing and ransomware become known commodities in the world of digital security, the hackers and crackers just change up their methods.

Their latest malovation?  Formjacking.

The method works when cybercriminals insert some malware on a retail website that basically acts as a card skimmer that siphons off consumer card data as it’s entered.  According to the latest edition of Symantec’s annual Internet Security Threat Report, formjacking is emerging as a favored tactic for hackers — particularly among those who target small- and medium-sized businesses.

Unfortunately, formjacking is increasingly finding bigger stages to play on, so to speak, as British Airways and Ticketmaster have both reported having been victims of formjacking attacks in recent months.  Symantec reports that in the last year or so it has blocked over 3.7 million formjacking attacks on websites. About one-third of those attacks occurred during the holiday shopping season.

“Formjacking represents a serious threat for both businesses and consumers,” Greg Clark, CEO of Symantec, noted in a release. “Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft.”

There are no hard figures quantifying how much consumer data privacy has been lost — or what the financial damages associated with formjacking are — though Symantec estimates that the new technique current is affecting 4,800 websites per month.  Symantec further estimates criminals were able to steal “tens of millions of dollars” via the use of lifted credit card data or from selling the numbers on the dark web for around $45 each.

Some hacks, the reported noted, have been potentially very lucrative.

“With more than 380,000 credit cards stolen, the British Airways attack alone may have netted criminals more than $17 million,” the report stated.

The rise of formjacking accompanies the decline of ransomware attacks, which according to the report are down 20 percent year-on-year — the first decline since they began emerging on the scene in 2013. A major contributing factor in that, according to Symantec, is the diminished value of bitcoin on the market, as it is typically used in ransomware attacks as the payment method.

Perhaps now that bitcoin’s prices have seen some gains in the last week, cybercriminals will again deem it valuable enough to transact with.

Symantec has also seen a decline in the occurrence of cryptojacking, wherein a hacker commandeers another computer in order to mine crypto without the computer owner’s permission.  The sharp decline can once again be attributed to the falling value of bitcoin — no longer quite worth the trouble of stealing another computer — and because technology has more or less caught up with the attack form.  Symantec said it blocked four times as many cryptojacking attacks in 2018 compared to the previous year.

The attack form does remain alive and well, Symantec noted, mostly because it is a relatively easy hack and requires little overhead to conduct.

Formjacking, on the other hand, is free of the digital currency markets — and generates good old-fashioned card numbers that can be used in a variety of contexts.  And it, too, reportedly has a low barrier for entry, as the malicious code is relatively easy to place into websites running older and unpatched software versions.  One hacking group called Magecart managed to effectively use these attacks against Ticketmaster, Newegg, Huddle House and dozens of other sites in 2018.

“Applying patches to applications immediately – not months after they become available – and making security testing a part of the entire lifecycle of an application are critical,” Oscar Tovar, vulnerability verification specialist with WhiteHat told SCMedia about how these attacks can be warded off in the future.

The challenge, Symantec noted, is that most operators don’t know formjacking exists, or to be on the lookout for it — which means it is earning its spot as fizzle of the week simply by nature of the number of sites it is appearing on to suck out information.

And until those patches are put in place and the word is out, it seems a lot more fizzling data privacy is going to be attributed to formjacking going forward.


Digital Payments: $100 trillion market? PayPal CEO David Schulman thinks payments rendered over bits and bytes can reach this milestone, and joint efforts of partnerships between companies in far flung industries are poised to take advantage of the growing opportunities.

Smartwatches: Time to shine for these wrist-worn gadgets? Garmin says revenue for its outdoor segment (and the watches tied to that segment) surged 25 percent in the fourth quarter of 2018, and the news was enough to send shares to an 11 year high.

Walmart: eCommerce gives a tailwind to earnings and a road map to the future as online sales grow by 43 percent in the latest quarter, boosted by expansion of its grocery delivery and pickup offerings.


Student Debt: The amount of debt in “serious delinquency” — at least 90 days — is on the rise, says Fed data, and stands at the highest level seen in several years, now exceeding $166 billion. The tally has grown as in-state tuition has risen by more than three percent annually over the last several years. In addition, borrowers between 40 years old to 49 years old have been most affected, as they are on the hook for their children’s tuition.

Munchery: The on-demand food delivery company closed its doors weeks ago, and now some of its suppliers are owed tens of thousands of dollars. Some of these suppliers, according to news reports, never were told by the company that operations would be shuttered — and so they fulfilled orders for which they were never paid.

Brick and mortar: A bit of another blow to (at least some) retail models, Payless has been approved by the bankruptcy court to begin closing its 2,500 stores located across North America, with as many as 16,000 workers out of their jobs. Gift cards and store credit will be honored into March.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.