www.canadiansecuritymag.com

Features Expert Advice Opinion
Expert advice: Formjacking is the latest threat


May 16, 2019
By Robert Arandjelovic

Topics
Robert Arandjelovic, Symantec’s Americas director of product marketing

According to Symantec’s annual Internet Security Threat Report, one of the newest ways for hackers to steal personal data is formjacking. Here’s what you need to know about this growing online threat.

Formjacking occurs when cyber criminals inject suspect code, or malware, into an e-commerce website. When a consumer accesses the website to make a purchase, their information is sent to the merchant, but the malware copies their information and sends it to the cyber criminals as well.

Formjacking affects an average of 4,800 websites each month. Although small and medium-sized businesses are the biggest targets, cyber criminals have also used formjacking to attack major organizations such as British Airways and Ticketmaster. In 2018, Symantec blocked more than 3.7 million formjacking attacks on websites, with one-third of those happening during the busy holiday shopping season.

For e-commerce retailers, it’s vital that systems are kept up to date, and that regular code reviews are carried out.

Many companies have strong coding review practices in place already, to make sure the user experience is maintained. If code is being reviewed regularly, this should identify anomalous code or malware.

For consumers, because the malware isn’t on your system, the best defence against formjacking is having reliable end-point security with intrusion prevention system (IPS) technology in place, especially when performing e-commerce transactions. Try to avoid using systems with questionable security, such as hotel or library computers. Without end-point security, it’s impossible to detect that an e-commerce site has been compromised and that your data is vulnerable. This also holds true for consumers who use their mobile devices to make purchases: if you access a compromised server using a mobile app, or if you open an infected webpage on your mobile phone, your data is at risk unless end-point security is in place on your device.

For the foreseeable future, formjacking will continue to increase.   

Robert Arandjelovic is Symantec’s Americas director of product marketing (www.symantec.com).