Leaking Contact Form Data Or Form Jacking – One Of The Biggest Threats To Cybersecurity In 2020
Data breaches, phishing, leaking contact form data, and various other types of hacking strategies have been on the rise in recent years. The COVID-19 situation of 2020 has added a new dimension to hacking activities. With more and more people shopping online, hackers are rapidly evolving. Their newest strategies take advantage of shoppers who are ordering essentials online to avoid leaving the house. Several recent incidents have been reported where cybercriminals have used hijacked payment forms, also called “form jacking” and “e-skimming,” to steal credit card credentials.
Card Owners Are Unaware That Their Details Have Been Stolen
Each time a customer places an order using their credit card details, hackers are a step ahead. Malicious JavaScript code embedded in the contact form harvests any information entered. The transaction proceeds as normal with the customer receiving the product and the vendor receiving payment from the credit card company.
Like the hacking strategy experts at HackEDU warn, the card owner only realizes after weeks have passed that cybercriminals have accessed the private payment information. The discovery comes when substantial purchases appear on the card. Or, worse, the information may have been sold for a few dollars on the dark web. A credit card number complete with the security code typically sells for about $5. The login data from payment portals like PayPal would fetch up to $20.
The Fbi And Bka Are Issuing Warnings About Form Jacking
The FBI and the Federal Management Report on Cybercrime released by the BKA have issued warnings that cybercriminals are specifically targeting small and medium-sized businesses that accepting online orders and credit card payments. That’s because these companies lack the sophisticated defense systems of their larger competitors, leaving them vulnerable to cyber-attacks and leaking data. The time to shore up firewalls and defenses is right now, because any malware could potentially remain in systems for months until the hacker retrieves information of value. Of course, larger companies are also targeted because of the higher returns from data breaches.
How Form Jacking Is Conducted
Form jacking is an advanced version of typical skimming frauds. It involves hackers placing their own card readers in the card slots of an ATM machine. Hidden cameras are also installed to capture the customers’ PINs. Next, the card is cloned using the collected information. Form jacking goes one step further by phishing and sending malware to employees of organizations. Cybercriminals also target third-party providers using applications that access the company’s server.
Once a vulnerability is detected, malicious code in the form of small hidden JavaScripts is delivered and inserted into the web page where customers provide their card details. As soon as a customer makes a purchase, the data are instantly recorded in real time and sent to the hacker. Check out this article on the PCMag that explains in detail how form jacking works.
How Companies Can Prevent Form Jacking
The simplest solution that companies can employ is to think like hackers and hire the services of white hat or certified ethical hackers. Using approaches like penetration testing, they check the company’s defenses from the outside and identify holes in the security systems. Such professional consultants look for the particular entry gates that can be used to introduce malware, then create the necessary protections. Additional measures include:
- Multi-level authentication that works well to safeguard the information that customers provide.
- Hiring IT professionals to audit the company systems and detect when codes are altered even slightly.
- Installing software updates that provide the necessary firewalls for protection.
- Screening the outbound traffic from the company’s websites to ensure that it is reaching the right destinations.
- Using Subresource Integrity (SRI) tags with cryptographic hashes to make sure that the files collected by documents and web applications do not include malware that can be potentially harmful.
- Integrating Intrusion Detection and Prevention Systems (IDPS) that identify intruders and prevent the installation of malware into the company’s systems.
Companies using online forms to accept payment from customers must take the necessary steps to safeguard the information entrusted to them. Being aware of the threats out in the world is an important first step. Hiring expert IT consultants is crucial for building defenses against the incidence of data breaches.