Global AppSec DC 2019

Formjacking attacks are simple and lucrative: cybercriminals load malicious code onto retailers’ websites to steal shoppers’ credit card details, with 4,800+ unique websites compromised on average every month. Both well-known and small-medium businesses were attacked, conservatively yielding tens of millions of dollars to bad actors last year.” - Symantec 2019 Internet Security Threat Report

There are several ways to distribute Formjacking scripts, from browser add-ons to malware on the machine; but the most popular way is compromising the site's 3rd party JS and using them to hitchhike to all of their clients.

Because 3rd party scripts are loaded directly into the browser from remote servers, they are out of bounds for traditional security solutions like Firewalls, WAF’s and such. They are also tough to monitor, as their behavior may change from user to user, making their actions very hard to analyze. However; these scripts share the same level of access to a webpage as the website’s internal scripts. Every script on the page, can have access to every field, manipulate the content of the page and even record keystrokes.

Millions of users were affected by this attack in the past year alone, being the favorite tactic of the Magecart groups (named so for targeting Magento based sites) and many high profile hacks, from Delta Airlines to British Airways, Ticketmaster and more.

The recent rise in Formjacking attacks created much noise, pointing to multiple technologies to try and close this gap; from CSP and SRI to proxying JS to control JS actions on the page and real-time sandboxing. These said with such passion that none are discussing the drawbacks of each approach. In my presentation, I cover all approaches, show real-time demos of Formjacking code, how the advocated methods can block it, and if and how can these be easily circumvented.