puhhha - stock.adobe.com

Formjacking dominates web-related data breaches

Formjacking has become one of the most popular data stealing methods, say researchers, who urge commercial websites to review all third-party coding practices without delay

Decentralisation of web content and services is widening the attack surface, leaving businesses and consumers increasingly exposed to password and credit card theft, warn security researchers.

The warning comes in the light of research from F5 Labs that shows payment form hijacking, or formjacking, has skyrocketed in the past two years as cyber criminals increasingly target consumers at online checkout points.

In the typical formjacking scenario, an attacker injects a malicious script into a targeted web page. The page is then loaded by a consumer, who fills in the form to make a purchase. When the form is submitted, the data is sent to the website as expected, but a copy of the data, including payment card details, is also sent to the attacker, who can then use this information to perform payment card fraud or sell it on to other cyber criminals through hacking forums.

Formjacking has emerged as the dominant web injection attack method aimed at stealing personal and financial information, accounting for 71% of all analysed web-related data breaches throughout 2018, according to F5 Labs’ Application report 2019.

The report, which is based on an analysis of 760 breach reports, shows that in the first half of 2019, 83 incidents were attributable to formjacking attacks on web payment forms, impacting a total of 1,396,969 payment cards.

“Formjacking has exploded in popularity over the last two years,” said David Warburton, senior threat evangelist at F5 Networks.

“Web applications are increasingly outsourcing critical components of their code, such as shopping carts and card payment systems, to third parties. Web developers are making use of imported code libraries or, in some cases, linking their app directly to third-party scripts hosted on the web. 

“As a result, businesses find themselves in a vulnerable position as their code is compiled from dozens of different sources – almost all of which are beyond the boundary of normal enterprise security controls. Since many websites make use of the same third-party resources, attackers know they just need to compromise a single component to skim data from a huge pool of potential victims.”

Read more about web security

Of the successful formjacking attacks analysed, 49% occurred in the retail industry, 14% related to business services and 11% focused on manufacturing.

The transport industry was the biggest victim of formjacking attacks specifically targeting personal finance information, incurring 60% of all credit card-related theft during F5’s window of analysis.

Although injection vulnerabilities are not new, F5 Labs said this is a growing and evolving problem as shifting industry trends rapidly prompt new risks and the widening of attack surfaces.

According to the Exploit Database, 11% of newly discovered exploits in 2018 formed part of a formjacking attack chain, including remote code execution (5.4%) and arbitrary file inclusion (3.8%).

“The injection landscape is transforming along with our behaviour,” said Warburton. “Adequately detecting and mitigating injection flaws now depends on adapting assessments and controls – not just fixing code. The more code we hand over to third parties, the less visibility and less control we have over it.”

According to Warburton, organisations will increasingly begin to manage web injection risks in the form of security-oriented service-level agreements (SLAs).

“The mitigation methods recommended in the report are a good start, but it is vital to keep pace with morphing attacker mindsets and capabilities,” he said.

To safeguard against injection attacks, F5 Labs recommends:

  • Creating a web inventory of web applications. This should include a thorough audit of third-party content. The process is complicated by third parties usually linking to additional websites and a tendency for substandard security controls.
  • Patching all systems and applications. Although patching will not necessarily fix flaws in third-party content, it makes it more difficult for attackers to escalate from an initial foothold to substantive compromise. Since web injection is such a versatile technique, it is still critical to patch applications to prevent damage from compromised third-party assets.
  • Vulnerability scanning. For years, CISOs have recognised the importance of running external scans to get a hacker’s eye view of the situation. This becomes even more important when huge quantities of content are assembled on the client side at the last minute.
  • Monitoring for code changes. Regardless of where code is hosted, it is important to gain more visibility – irrespective of whether new vulnerabilities are emerging. This means monitoring GitHub and AWS S3 buckets, as well as native code repositories.
  • Deploying multifactor authentication. Multifactor authentication should be implemented on any system connecting to high-impact assets as injection is often used to bypass authentication to access web server code. Ideally, application-layer encryption can also supplement TLS/SSL to maintain confidentiality at browser level. 
  • Exploring the potential of server software tools. It is possible to set up a content security policy (CSP), for example, to block unauthorised code injections into a website or application. Also, subresource integrity (SRI) web methods can verify that third-party apps have not been altered. Both tools require work to properly fit to a web application. This is where a robust, flexible WAF (web application firewall) comes in.
  • Monitoring for newly registered domains and certificates. These are often used to host malicious scripts while appearing genuine to end-users.

Read more on Web application security

Data Center
Data Management