What You Need to Know About Formjacking Attacks

Everything You Need to Know About Formjacking Attacks

1 July 2021

There are dozens of client-side security threats. If you’re reading this, you are trying to figure out which ones might impact your business. If you are in the financial services, healthcare, retail, e-commerce, insurance, or any other industry that uses online forms to collect information from prospects and customers, you definitely need to be aware of and understand how to defend yourself from formjacking attacks. Let’s take a closer look at this type of attack and what you can do about them. 

What is Formjacking?

In formjacking, cyber criminals, financially motivated threat actors, and other hackers insert malicious JavaScript code into their targets’ website. Their goal is to take over the functionality of the site’s form pages to collect sensitive user information or valuable data. This information can include credit card information, personally identifiable information (PII), and other data that can be used to breach networks or be sold on the dark web.

Formjacking Data Collection Targets:

Payment Information

  • Usernames
  • Passwords
  • Email address
  • Credit card information
  • PayPal or Venmo Credentials


  • First and last names
  • Billing address
  • Email address
  • Phone numbers
  • Social security numbers
  • Healthcare information

What is a Formjacking Attack and How Does it Work?

Formjacking attacks are quite simple and behave like Magecart, e-skimming or cross-site scripting attacks. They follow three simple steps. 

  • Step 1
    • The attacker injects malicious scripts directly onto target forms.
  • Step 2
    • The user inputs data in the form. 
  • Step 3 
    • The attacker collects the customer information and sends it to their command and control server for storage and later use. 

Why Attack the Client-side with Formjacking?

Hackers and cybercriminals are always looking for a good deal. They’re also business people and understand the importance of achieving the highest possible return on investment (ROI) on their efforts and time. They seek simple ways to collect large amounts of data efficiently and effectively. Over the past few years there has been an increase in formjacking attacks, in particular, attacks  in which the credit card information and other PII is stolen from users via malicious JavaScript code injected on e-commerce site forms. By injecting malicious JavaScript code onto the forms target businesses use to collect information from their customers, attackers can start collecting PII and credit card information from dozens of customers per day. To learn more about how much customer data is being sold for on the dark web, read our blog “Everything You Need to Know About Magecart and Other Skimming Attacks”. 

What Can I Do to Protect My Business and My Customers? 

Application developers and security professionals need to work hand in hand to continuously scan their web applications and web sites for malicious scripts and client-side vulnerabilities. If any issues are found, they must be mitigated immediately. One thing to note is that without an automated web application client-side protection tool, the continuous scanning and patching process is extremely time consuming. Please don’t rely solely on point-in-time penetration tests and vulnerability assessments. They can only fix what you know now, not what will happen in the very near future. Attackers move faster than a quarterly test or assessment, so your client-side security teams need to be on their toes at all times. 

Next Steps

Every business is responsible for protecting their customers and the data their customers share with them to purchase goods and services. If a customer’s data is stolen when filling out one of your forms, and the customer or their bank can track it back to your lack of client-side security, you will lose brand reputation and might be subject to legal action. If your customer is in the European Union, and they make a General Data Protection Regulation complaint, you could incur a 20 million euro fine as well as additional litigation costs, depending on how much data had been acquired by attackers during their formjacking attack. 

The dangers that come through the client side are significant, but with knowledge of what is needed, businesses can protect customers and improve their security posture. I encourage you to check out our Inspector and PageGuard products. They are specifically designed to continuously scan and protect your business from attackers being able to benefit from Formjacking attacks. If you would like to see our products in action, please request a demo here

Free Assessment

Security for Everyone that Visits Your Website

Find out if your web application is hiding vulnerable, malicious, or dangerous code that could damage your customers and your business. No payment information required.