6 Steps You Can Take to Protect Your Company From Formjacking
Cybercriminals use formjacking to take advantage of trusting home buyers operating under the illusion of digital safety. Most prospective clients assume bankers and lenders place everyone's information under a tight watch, trusting the mortgage lenders implicitly as they fill out web forms. They rarely stop to consider who else might be accessing them.
How Does Formjacking Work?
If that sounds bad, it only gets worse: It's far too easy for these formjackers to go undetected for months or even years. They can set the script to activate at certain times of day to avoid a cybersecurity team's working hours or split it into multiple files to make detection that much harder.
Mortgage Lenders: A Tempting Target
Mortgage lenders are a tempting target for their size, ubiquity, and access to sensitive information. What better way to demonstrate what formjacking can do than with the hackers who infiltrated hundreds of real estate websites with a single video?
Sotheby's was only recently able to end the attack campaign, meaning that for one year, their attacker hoarded clients' names, email addresses, phone numbers, and credit card data.
The danger is not limited to clients either. Though news reports tend to highlight the damage to consumers, formjacking can just as easily steal internal information through company portals. If a cybercriminal managed to embed their code into an employee training video purchased from a mass retailer, for example, they wouldn't need to wait long before taking a snapshot of an employee's login credentials.
Formjacking is a growing trend — and it's not going away anytime soon. Though it would be nice to believe that Brightcove's breach was an anomaly, 4,800 websites are compromised with formjacking every month. Attackers especially enjoy targeting third-party tools because the average eCommerce website uses 40-60 of them, with the majority (68%) of those tools accessing form and input fields. Given the prevalence of these tools in modern business, anyone can be an easy target.
Protect Your Organization From Formjacking
Safeguarding your business from formjacking is becoming increasingly important, and there are steps you can take to minimize risk:
Website admins should manage permissions with a zero-trust mentality: In other words, trust nobody — and limit access to those who need it to do their job.
Most data breaches are a result of human error. Educate your staff about cybersecurity best practices.
Require two-factor authentication (2FA) to verify form submissions on your website. While 2FA doesn't stop formjacking itself, it can minimize damage by preventing an attacker from taking over a person’s accounts. The malicious actor must simultaneously compromise both devices customers use for authorization (not an easy feat). Attackers tend to look for easier prey.
Detect unwanted changes to your environment with file integrity monitoring (FIM). You'll be alerted to any changes made to files you've set it to monitor.
Run penetration tests and vulnerability scans. No matter how confident you feel about your security, make it a habit to look for weaknesses and consider new ways to strengthen your cybersecurity framework.
Run quality assurance tests on new updates. Make sure things are operating as you intend before launching something new, from back-end functionality to UI interactions.
It’s time to level up your security and stay multiple steps ahead of cybercriminals — it’s your job to protect your customers’ asse(t)s, and your own! Update your cybersecurity framework and audit your organization with meticulous detail because what you don’t know will hurt you.