Formjacking: The ID Thief’s Latest Weapon

What is formjacking and how can you prevent it?: Internet Scambusters #892

Formjacking — the hijacking of online forms with malicious code — is the latest scam technique for stealing people’s personal information.

The incidence of this newer crime is more than doubling every year and it’s not easy to spot, as we explain in this week’s issue.

We also have an alert explaining why you should never abbreviate this year’s date to “20” rather than “2020”. It’s important, so don’t skip it.

Let’s get started…


Formjacking: The ID Thief’s Latest Weapon


If you ever fill a form out online — and most of us have and likely will again — you could be a target for a newer type of scam called formjacking.

It does what its name suggests — hijacks forms. Hackers “inject” code into forms on legitimate websites. This causes the page to release to the crooks confidential information entered on the form.

The tactic is mainly used to steal credit card information, with the stolen data often sold on to a dark web trader for re-sale to anyone who wants it. But it’s also been discovered in online job application forms.

Scammers have switched to formjacking in a big way during the past couple of years, as consumers become wiser to other card info theft tricks, like “skimming” details at ATMs and gas pumps.

Credit reporting agency Experian recently explained in a web posting: “Like a card skimmer, a formjacked website does its dirty work without disrupting a legitimate transaction. When you place an order on a formjacked website, for instance, the sale goes through as expected, even as your data is transferred to the crooked hackers.”

That means people often don’t know they’re victims until their stolen card details start to be used.

According to Internet security firm Symantec, almost 5,000 sites are formjacked every month. In 2018 alone, hackers were said to have attempted more than 3.7 million formjacking attacks. That figure is more than double the number for the prior year, though many of the attacks have been blocked.

Even well-protected business sites have proved vulnerable to attack via some of their small suppliers who work directly with them but don’t have such high-level security. Symantec lists companies such as Ticketmaster, British Airways, and electronics dealer Newegg as being targeted.

“Our data shows that any company, anywhere in the world, that processes payments online is a potential victim of formjacking,” the security outfit said.

The trouble is that it’s often not possible for a user — or even a victim firm — to tell if a form has been infected with malicious code, since it otherwise behaves normally.

So, your best strategy, the firm recommends, is to stay vigilant and watch for signs that your data has been compromised. This echoes the warning we gave in our annual review that regularly monitoring your online financial accounts (daily if possible) will become increasingly important this year.

Five Actions

Here are five important actions you should take to limit the effectiveness of formjacking:

1. Check your credit card statement for discrepancies when it comes in every month, but try to monitor you card balance as often as possible, especially if you have recently filled in an online form where you had to disclose personal and confidential information.

2. Check your credit scores frequently. It used to be that you could only access your credit report for free three times a year (from AnnualCreditReport.com) but now some of the three big credit reporting agencies, various credit card companies, banks, and even specialist monitoring sites like CreditKarma.com (note: this is not a recommendation specifically for this organization) will give you the information for nothing. You can also pay for other firms to actively and continuously monitor your records in real time and highlight any unusual activity.

3. If you wish, you can freeze your credit records with the “big three” agencies. This will stop anyone who has your details from opening new lines of credit in your name. However, you will also have to unfreeze it if you want to open or extend a credit account.

To learn how to freeze your records, see this guide from the Federal Trade Commission: Free Credit Freezes Are Here. Freezes (and unfreezes) are free. You can also freeze the records of your children.

4. Keep your Internet security software up to date as security companies are working actively on detection and highlighting form hijacking. Many programs can already identify some of them, and as updates are installed, you should be able to cut your risk of falling victim.

5. If you suspect or discover you’re already a victim, notify your bank or card company immediately. You can also add a regular or extended fraud alert, which isn’t the same as a freeze.

Here’s how to place a fraud alert.

Meanwhile, security firms are concentrating their latest efforts on helping targeted companies identify and remove formjacking attempts.

“Corporate awareness of formjacking and the availability of software to detect and disable it means the problem will surely diminish over time,” says Experian. “But as long as hackers keep inventing new forms of electronic theft, we’ll all need to keep watch over our credit activities.”

Exactly.

Alert of the Week

You may have seen new reports warning against abbreviating the date year now that we’ve moved into 2020.

If you were used to just giving only the final two digits of the year, as in 1/1/19, you shouldn’t use that technique this year.

The reason: if you dated a document as 1/1/20, an unscrupulous person could change that to, say 1/1/2015 or 1/1/2030. This could enable them to make serious trouble with some legal documents.

So, instead, you should write 1/1/2020. Get into the habit and save yourself some trouble.That’s all for today — we’ll see you next week.