Registration is NOW Open
Marriott Wardman Park
2660 Woodley Rd NW
Washington DC, District of Columbia 20008 USA
Phone: 1-202-328-2000 

Book Now 
*discount rates expire August 19, 2019
Back To Schedule
Thursday, September 12 • 4:30pm - 5:15pm
Fighting Formjacking and Magecart - Separating fact from fiction

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Formjacking attacks are simple and lucrative: cybercriminals load malicious code onto retailers’ websites to steal shoppers’ credit card details, with 4,800+ unique websites compromised on average every month. Both well-known and small-medium businesses were attacked, conservatively yielding tens of millions of dollars to bad actors last year.” - Symantec 2019 Internet Security Threat Report

There are several ways to distribute Formjacking scripts, from browser add-ons to malware on the machine; but the most popular way is compromising the site's 3rd party JS and using them to hitchhike to all of their clients.

Because 3rd party scripts are loaded directly into the browser from remote servers, they are out of bounds for traditional security solutions like Firewalls, WAF’s and such. They are also tough to monitor, as their behavior may change from user to user, making their actions very hard to analyze. However; these scripts share the same level of access to a webpage as the website’s internal scripts. Every script on the page, can have access to every field, manipulate the content of the page and even record keystrokes.

Millions of users were affected by this attack in the past year alone, being the favorite tactic of the Magecart groups (named so for targeting Magento based sites) and many high profile hacks, from Delta Airlines to British Airways, Ticketmaster and more.

The recent rise in Formjacking attacks created much noise, pointing to multiple technologies to try and close this gap; from CSP and SRI to proxying JS to control JS actions on the page and real-time sandboxing. These said with such passion that none are discussing the drawbacks of each approach. In my presentation, I cover all approaches, show real-time demos of Formjacking code, how the advocated methods can block it, and if and how can these be easily circumvented.

avatar for Avital Grushcovski

Avital Grushcovski

EVP Product & PS, Source Defense
An entrepreneur at heart, Avital is first and foremost a creator and a problem solver. For many years, Avital has brought cohesion to the security, professional services, R&D, and marketing efforts of organizations; finding the balance needed to move the company forward while keeping... Read More →

Thursday September 12, 2019 4:30pm - 5:15pm EDT
Lincoln 4