There are dozens of client-side security threats. If you’re reading this, you are trying to figure out which ones might impact your business. If you are in the financial services, healthcare, retail, e-commerce, insurance, or any other industry that uses online forms to collect information from prospects and customers, you definitely need to be aware of and understand how to defend yourself from formjacking attacks. Let’s take a closer look at this type of attack and what you can do about them.
What is Formjacking?
Formjacking Data Collection Targets:
- Email address
- Credit card information
- PayPal or Venmo Credentials
- First and last names
- Billing address
- Email address
- Phone numbers
- Social security numbers
- Healthcare information
What is a Formjacking Attack and How Does it Work?
Formjacking attacks are quite simple and behave like Magecart, e-skimming or cross-site scripting attacks. They follow three simple steps.
- Step 1
- The attacker injects malicious scripts directly onto target forms.
- Step 2
- The user inputs data in the form.
- Step 3
- The attacker collects the customer information and sends it to their command and control server for storage and later use.
Why Attack the Client-side with Formjacking?
What Can I Do to Protect My Business and My Customers?
Application developers and security professionals need to work hand in hand to continuously scan their web applications and web sites for malicious scripts and client-side vulnerabilities. If any issues are found, they must be mitigated immediately. One thing to note is that without an automated web application client-side protection tool, the continuous scanning and patching process is extremely time consuming. Please don’t rely solely on point-in-time penetration tests and vulnerability assessments. They can only fix what you know now, not what will happen in the very near future. Attackers move faster than a quarterly test or assessment, so your client-side security teams need to be on their toes at all times.
Every business is responsible for protecting their customers and the data their customers share with them to purchase goods and services. If a customer’s data is stolen when filling out one of your forms, and the customer or their bank can track it back to your lack of client-side security, you will lose brand reputation and might be subject to legal action. If your customer is in the European Union, and they make a General Data Protection Regulation complaint, you could incur a 20 million euro fine as well as additional litigation costs, depending on how much data had been acquired by attackers during their formjacking attack.
The dangers that come through the client side are significant, but with knowledge of what is needed, businesses can protect customers and improve their security posture. I encourage you to check out our Inspector and PageGuard products. They are specifically designed to continuously scan and protect your business from attackers being able to benefit from Formjacking attacks. If you would like to see our products in action, please request a demo here.