What Is Formjacking and How Can Your Business Stay Protected?

Formjacking is a sophisticated cyberattack where hackers inject malicious JavaScript code into website forms to steal sensitive user information. Unlike traditional data breaches that target servers, formjacking operates entirely on the client side, capturing data in real-time as users enter it into forms. This makes these attacks particularly dangerous, as they leave no trace on the server and can go undetected for a long time.

Formjacking represents a significant threat to businesses across all industries, but especially to those that process online payments. Understanding how these attacks work and implementing proper protection measures is essential for protecting customer data and maintaining compliance with regulations like PCI DSS Requirements 6.4.3 and 11.6.1.

Key takeaways

• Formjacking attacks steal sensitive data directly from web forms as users enter information, all while appearing completely normal to both users and businesses.
• These client-side attacks bypass traditional security measures like web application firewalls (WAF) and server-side monitoring.
• Implementing client-side security monitoring, managing third-party scripts, and using specialized protection tools are essential for the prevention of these attacks.
• The new PCI DSS 4.0 standard requires client-side security measures, making formjacking protection a compliance necessity.

How formjacking attacks work

Formjacking attacks follow a systematic process that allows hackers to infiltrate websites and steal user data without detection. Understanding this process is crucial for implementing effective defenses.

1. Exploit vulnerabilities

Attackers first identify and exploit vulnerabilities to gain access to a website’s code. These entry points typically include:

• Content management system (CMS) weaknesses
• Outdated plugins or themes
• Vulnerable e-commerce platforms
• Compromised third-party scripts and libraries
• Weak server configurations
• Compromised administrator credentials

The most common attack vector is through third-party scripts. Modern websites rely on numerous external resources for functions like analytics, marketing tools, payment processing, and customer service features. Each of these represents a potential entry point for attackers.

2. Inject malicious code

Once the hackers gain access, they inject malicious JavaScript code into the website. This code targets form fields where users enter sensitive information. The attack can be implemented in several ways:

• Direct insertion of malicious code into a website’s files
• Adding a remote script reference that loads code from an attacker-controlled server
• Modifying legitimate third-party scripts to include malicious functionality
• Using typosquatting or homoglyph attacks to create domains that appear legitimate

The code is typically designed to capture form data just before submission, allowing it to collect complete information, including credit card numbers, expiration dates, CVV codes, and personal details.

3. Obfuscate the code

To avoid detection, attackers use various obfuscation techniques to hide their malicious code:

• String manipulation and encoding (Base64, Base62)
• Code minification and compression
• Breaking code into smaller, seemingly unrelated parts
• Disguising code as legitimate analytics or functionality
• Using polymorphic code that changes its signature

These techniques make it extremely difficult to identify malicious code through manual review or traditional security scanning tools.

4. Exfiltrate stolen data

The final step involves transmitting the captured data to servers controlled by the attackers. This typically happens in one of two ways:

• Immediate transmission of data as soon as it’s captured
• Storing data temporarily in browser storage and transmitting it in batches

Attackers often use domains that mimic legitimate services (like google-anlytics.com instead of google-analytics.com) or encode the data to disguise the transmission. They then sell the stolen information on dark web marketplaces or use it directly for fraud.

Why formjacking is difficult to detect

Formjacking presents unique challenges for detection compared to other types of cyberattacks:

It’s a client-side operation. Because formjacking operates entirely within the user’s browser, server-side security measures have no visibility into the attack. Traditional WAFs, intrusion detection systems, and server logs cannot detect when malicious code is executing in a user’s browser.

It looks legitimate. To both users and businesses, transactions appear completely normal. The payment process works as expected, orders are fulfilled, and no error messages appear. The only indication of compromise is the invisible copy of data being sent to the attacker’s server.

There’s third-party complexity. The average website includes code from 23 different third-party sources(1). Each script can load additional scripts, creating a complex chain of trust. This makes it difficult to monitor all code executing on a website, especially with scripts changing frequently.

A lack of good tools. Most businesses lack tools for monitoring client-side code execution. Even when websites undergo security audits, these typically focus on server-side vulnerabilities instead of client-side threats.

Not always active. Sophisticated formjacking attacks may only target specific users or activate during certain time periods, making them even harder to detect through occasional scanning or testing.

The business impact of formjacking attacks

The business consequences of formjacking extend far beyond the immediate data theft:

Financial losses

Businesses face substantial financial impacts from formjacking:

• Regulatory fines for data protection violations
• PCI DSS non-compliance penalties
• Legal costs from customer lawsuits
• Fraud investigation and remediation expenses
• Payment card replacement costs

The 2018 British Airways formjacking attack resulted in a fine of £20 million ($26 million) after 380,000 customers had their personal and payment information stolen⁽²⁾. The attack remained undetected for two months before a security researcher alerted the company.

Operational disruption

Responding to a formjacking attack requires significant resources:

• Emergency security team mobilization
• Forensic investigation of the breach
• Remediation of compromised systems
• Customer notification and support
• Implementation of new security measures

Reputational damage

Perhaps the most significant long-term impact is the erosion of customer trust. Once a business is associated with a data breach, rebuilding customer confidence can take years. The reputational damage often means:

• Decreased conversion rates on e-commerce sites
• Reduced customer retention
• Negative media coverage and social media sentiment
• Damaged relationships with partners and payment processors

How to protect against formjacking

Protecting your business against formjacking requires a multi-layered approach that addresses both prevention and detection:

Use client-side monitoring

Since formjacking operates in the browser, client-side monitoring is essential:

• Deploy solutions that can detect unauthorized script behavior in real-time
• Monitor changes to the Document Object Model (DOM) on sensitive pages
• Set up alerts for suspicious data transmission, especially from payment pages
• Regularly test your website from different geographic locations to catch region-specific attacks

Manage third-party scripts

Third-party scripts represent the most common entry point for formjacking attacks:

• Create an inventory of all third-party scripts running on your website
• Evaluate the security practices of your third-party vendors
• Limit third-party script access on sensitive pages
• Consider hosting critical third-party scripts on your own servers
• Implement a formal approval process for adding new scripts

Apply content security policies

Content Security Policies (CSP) help restrict which scripts can run on your website:

• Define which domains are allowed to load JavaScript on your pages
• Implement subresource integrity (SRI) to ensure scripts haven’t been modified
• Set up reporting to be notified of policy violations
• Regularly review and update policies as your website evolves

Keep software updated

Maintaining current software versions is a fundamental security practice:

• Apply security patches promptly to all web applications and plugins
• Regularly update content management systems and e-commerce platforms
• Monitor security announcements from vendors and third-party services
• Consider automating security updates where possible

Use specialized formjacking protection

Solutions like DataDome Page Protect offer comprehensive protection against client-side attacks, including:

• Real-time monitoring of JavaScript behavior
• Detection of unauthorized code modifications
• Immediate alerts for suspicious activities
• Compliance with PCI DSS 4.0 requirements for client-side security

DataDome Page Protect resolves security incidents automatically

Defeat formjacking with DataDome Page Protect

Formjacking represents a significant and evolving threat to online businesses. By operating within the user’s browser rather than attacking server infrastructure directly, these attacks bypass many traditional security measures and can remain undetected for months while harvesting sensitive customer data.

Protecting your business requires a multi-layered approach that includes understanding third-party risks, implementing client-side monitoring, creating content security policies, keeping software updated, and deploying specialized protection solutions.

DataDome Page Protect is specifically designed to defend against formjacking and other client-side attacks. This purpose-built protection system provides real-time monitoring of all script activities on your payment pages and automatically detects and blocks unauthorized code modifications and suspicious behaviors.

Visit datadome.co/products/page-protect to learn more and request a demo of the solution for your company’s security strategy.

References

1. https://almanac.httparchive.org/en/2021/third-parties#third-party
2. https://www.bbc.co.uk/news/technology-54568784