New Formjacking Campaign Targeting Top Retail Sites

Security researchers at Symantec have recently identified a new formjacking campaign targeting high profile e-commerce sites. Within three months, more than one million formjacking attempts against 10,000 websites were blocked by Symantec, and at least 30 major websites and their regional sites were compromised. Formjacking is the theft of payment information on a checkout webpage via malicious JavaScript code. Typically, formjacking compromises the supply chain, where malicious code is injected into third-party providers’ libraries. In this case, however, a pattern was observed where legitimate sites in the US, Australia, Japan, and Germany would redirect to a Paris-hosted site that contained the malicious formjacking code. The site’s code would also check for the presence of debugging tools in order to avoid security analysis. Websites affected by formjacking continue to operate as usual, making these attacks difficult to identify. Hacker groups like Magecart will continue to carry out these attacks, and it is very likely these types of attacks will continue to increase. The NJCCIC highly recommends site owners test all new updates in sandbox environments and monitor the behavior of their systems for abnormal activity patterns. When integrating third-party scripts, utilize Subresource Integrity (SRI) tags to verify the legitimacy of these scripts. For more information on the campaign, review the Symantec blog post.

AlertNJCCICeCommerce, Campaign