Christmas is just around the corner and it is already certain that some people will lose their holiday spirit. When millions of people go online on a gift hunt, the trap snaps shut. We are talking about the new invisible threat on the Internet: Formjacking, also known as e-skimming. Hackers are hacking online shops with hijacked payment forms and credit card and bank details. The unsuspecting customer and the affected company don’t even notice it – everything goes as usual. The buyer receives his product and the company the payment, but in the background cyber criminals tap into the secret payment information. Only at a later glance on the account does the bad awakening come: Unknown persons have done extensive shopping at the cardholder’s expense.

BKA and FBI warn

In its new Federal Management Report on Cybercrime, the BKA confirms that there was a particularly strong increase in the number of Formjacking cases during the Christmas business in the previous year. The FBI also recently issued a warning in the context of the U.S. Cyber Security Month 2019, particularly to small and medium-sized companies offering online credit card payment. They often have less sophisticated defenses and are therefore particularly vulnerable to attacks. Placed malware would also remain undetected on their systems for longer.

But larger companies are also increasingly being targeted. One of the most spectacular cases occurred in September 2018, when British Airways lost over 380,000 customer credit card details due to an infected booking page. This attack is likely to have earned the hackers several million US dollars. British Airways in turn not only suffered an immense loss of confidence, but also faces a possible fine of 230 million US dollars thanks to inadequate security measures – the largest amount to date since the DSGVO came into force.

How does Formjacking work?

The term “Formjacking” is a combination of “online form” and “hijacking” and basically describes the digital version of the well-known skimming, in which fraudsters prepare the card slot at ATMs with their own card reader. The pin code is spied out simultaneously with small cameras. The bank card can be duplicated with the collected data.

A similar Formjacking attack takes place in cyberspace. In the two-stage attack, a sales page in the network is first placed in the crosshairs in order to place a malicious code – usually small veiled JavaScripts – on the page. According to the FBI, hackers often achieve this by phishing and sending malicious emails to employees or vulnerable third-party providers whose applications have access to a company’s server landscape. Once the malicious code has been implemented, credit card data can be captured in real time as soon as the customer enters it on the shop website.

The cybercriminals then use the valuable information to either go shopping themselves or sell it in Darknet. According to a study by the American credit agency Experian, a credit card number with a security code is sold over the digital counter for about 5 US dollars. Login data from payment service providers such as Paypal can even earn around 20 US dollars.


Who’s behind the attacks?

Formjacking belongs to the so-called man-in-the-middle attacks, in which attackers position themselves unnoticed between the communication partners using malware. But who are the unknowns? This cannot usually be clearly assigned, but the name Magecart appears again and again in connection with the incidents, as in the British Airways case described at the beginning. This is a generic term that describes the activities of at least seven hacker groups that use similar malware in similarly orchestrated attacks. The Magecart groups are not restricted to a specific platform of online shops within the framework of their hacks. In addition, it has been observed that some cybercriminals specialize in third-party services such as live chat widgets.

How can you protect yourself?

It is not possible for the customer to detect and prevent formjacking during online shopping because the infected pages look unchanged. It is therefore advisable to restrict purchases to large shops which, in contrast to small e-commerce websites, are equipped with more extensive security systems. Credit cards should also have a second level of defense in the form of 3D Secure. For example, no transaction is possible without a TAN code sent to the smartphone.

But the real responsibility for preventing the e-skimming attacks lies with the companies. It is imperative that they keep their security systems up to date. The aim is to keep the entry gates of malware, for example in the form of malicious mails, closed with extensive protective measures.

Formjacking currently focuses on the theft of credit card data, but in principle it can be used to capture any type of data that is captured via online forms. The expansion of fraud is therefore more than likely.