scammer at work

Formjacking and Other Threats You Should be Preparing for This Season

Formjacking has already hit 800 eCommerce companies a counting. Learn more about this threat and other scams floating around this holiday season.

Cybercriminals are hard at work creating the perfect house of horrors for those shopping online, booking hotels, airline tickets or buying Christmas decorations. The latest scheme waiting for them is known as formjacking.

With this attack, cybercriminals find a vulnerability in the company’s system and inject Java code into the website forms. Most often, those are check-out or payment forms on eCommerce sites. Then, when the victims submit their data (for example, credit card information, and email address) to purchase something, this information is transferred to the attacker’s servers. The victim doesn’t realize until much later when that information is used for a shopping spree.

Just how bad is formjacking?

This type of technique has been used to hack several companies recently, including British Airways, Newegg, and Feedify. The number of formjacking attacks has more than doubled from August to September according to Symantec Security Researchers. This rampage of attacks is attributed to the Magecart Group, that has been operating since 2015. However, since finding this working formula, the group has been hitting what researchers think are more than 800 eCommerce sites. Magecart has gone so far as to design look-alike web domains masquerading as the real thing to trick users.

That is only one of many types of ways customers can get tricked this holiday season. Other top scams making the rounds according to the Federal Trade Commission are: Medicare, utility, Social Security, and vacation rental scams to name a few. Often times scams start with a phishing email designed to lure unsuspecting consumers to a fake domain to steal their credentials, passwords, accounts logins, and more. These emails give prompts to collect information that normally seem easy and painless, until the bill for a water motorbike you never bought comes in the mail.

Using behavior as a credential

To protect you from unexpected frights, online companies should monitor any changes occurring on their websites and employ passive biometrics technologies to detect and block suspicious behavior. Businesses should control the code that executes on their website, as this can come from a legitimate aggregation service or from a fraudster trying to make a profit.

Using passive biometrics, companies identify customers by their online behavior, which flags any suspicious activity such as formjacking, instead of relying on stolen credentials, devices, passwords or other legitimate data that has been sold on the dark web. As an added benefit, cybercriminals can’t replicate inherent human behavior, making the data they steal valueless.

Tricks to Give Scams the Slip

As consumers prepare to navigate the online shopping territory, here are a few tips to help them stay away from fraud:

Personal information

Guard it with your life! Make sure are on a reputable website and check for the HTTPS and the green padlock on the browser. You should read and reread the website address and hit the X if anything unexpected appears.

Don’t be reeled in by phishing

Professional fraudulent emails are many times, the first point of contact for scammers. Remember that most companies – especially banks – are never going to ask you for credentials by an email or phone message. If you receive a deal that looks too good to be true, it probably is. It’s better to pick up the phone and call to confirm or ignore.

Confirmations of sales or services

If you receive word that you have purchased goods or services that you did not, you should take immediate action and contact your credit card company as well as the company that good or service was bought from. Ignoring these signs only gives the cybercriminal more time to do the damage.

Expert’s advice

If you have been tricked, there are organizations that can help. The police’s ActionFraud website, CIFAS, and the NCA can provide up to date and helpful information about next steps to take.






Related to this blog The malware awards: the most devastating attacks that everyone talked about in 2017