Information security specialists report the emergence of a new variant of online fraud that allows the extraction of victims’ data when they browse through seemingly secure websites. In most cases, victims do not know they have been attacked until it is too late.
Whether users are shopping online, filling out
government forms, or job applications, threat actors can find a way to bypass any
protection on a website to steal information when the user enters it.
This practice has been dubbed by information security specialists as “formjacking”. Actually, this method works quite similarly to the devices used by cybercriminals to clone payment cards at an ATM, known as “skimming” devices. Criminals implant these devices at ATMs to capture information from users’ cards. In the case of formjacking, hackers inject malicious code into a legitimate website to extract people’s information when they enter it into the website.
Researchers at information security firm
Symantec published an analysis of the growth of formjacking during the first
half of 2018 and 2019, concluding that this practice grew nearly 120% in less
than a year. “It is possible to attack any website, so administrators
should always remain alert to any cybersecurity threat,” the experts said.
The responsibility to combat this practice resides
almost 100% in companies and website owners requesting personal information, as
it is virtually impossible for users to do anything to increase the security of
a website. “Users don’t really have a way of knowing when a website has
been attacked, there’s not much they can do except waiting for companies and
Internet pages to receive protection and surveillance.” To make matters
worse, protection measures such as antivirus software are also very inefficient
at detecting such attacks.
This is a really stealthy attack variant, so it
is best for users to always be vigilant, be aware of what information they are
sharing on any website, as well as monitor their social media profiles, social
media accounts, emails and bank statements periodically to detect any
suspicious activity on time and report it to the relevant instances.
Another option to consider for mitigating this
risk is to abandon the use of desktop equipments to enter personal information
on a website and instead only use secure mobile apps, primarily payment services,
such as Apple Pay or Google Pay.
Although it seems similar to sending phishing
forms or messages, information security specialists from the International
Institute of Cyber Security (IICS) mention that formjacking is a much more
dangerous attack variant. The danger of formjacking lies in the fact that
attackers can inject their codes into legitimate websites, unlike phishing,
which employs forms, websites and emails that are simply very well-achieved
copies of the content used by legitimate private companies and government
institutions.
