As the number of customers who make transactions online increases, the risk of compromising their personal details also increases.

In a blog by software company Symantec, it details who the group Magecart uses formjacking to steal user data that include credit card details.

Formjacking is the use of malicious JavaScript code to steal credit card information as well as other data entered in the payment form of e-commerce and other service-oriented websites. This technique has been done in the past, and perhaps being used in small-scale operations, but Symantec said it saw an “uptick” of attacks since the data breach of high-profile companies such as the British Airways, Feedify, Newegg, and Ticketmaster.

As soon as customers click “submit” after providing necessary information, the malicious JavaScript code injected on the site does it work and harvest that information redirecting it to the attackers’ server.

From the research Symantec did to gain insights of what businesses were potential targets, it examined “1,000 instances blocked by Symantec over a three-day period from Sept. 18 to 20, where it found out that 57 individual websites were affected.

The sites are online retail sites that range from small niche sites to larger retail operations.

“Our data shows that any company, anywhere in the world, which processes payments online is a potential victim of formjacking,” Symantec writes on its blog.

The company sees formjacking as a sustained campaign based on its monitoring “with activity increasing substantially in the week of Sept.13-20.

“According to Symantec telemetry, since August 13 we have blocked 248,000 attempts at formjacking — almost a quarter of a million instances. However, more than one third of those blocks (36 percent) occurred from Sept. 13-20, indicating that this activity is increasing.”

Symantec explained how Magecart injected malicious JavaScript into the Ticketmaster website after compromising a chatbot from tech firm Inbenta used by Ticketmaster for customer support. “Magecart was then able to alter the JavaScript code on Ticketmaster’s websites to capture payment card data from customers and send it to their servers. The code may have been on the Ticketmaster website for almost a year, with international Ticketmaster customers warned they may have been affected if they bought tickets between September 2017 and June 2018. Inbenta said Magecart had exploited a number of vulnerabilities to target its front-end servers and alter the chatbot code.”

This revealed how Magecart has been using third-party — and smaller — companies online retail stores are using for various services such as analytics and customer support. “The report at that time said at least 800 e-commerce sites had been hit in that campaign. The danger is that if Magecart can compromise one widely used third-party supplier, they could potentially infect thousands of sites in one go.”

Supply chain

Symantec warns, though, that while large company websites have ensured data security by complying to government regulations, it is the third-party, small websites that offer various services that become the gateway of such attacks.

Cybercriminals use supply chain attack in order to gain access to the bigger website and “change the code on the payment page.”

Symantec advises companies to ensure that supply chain websites are as secure as their own so their cybersecurity efforts won’t go to waste.

Image from Pixabay