Digital Fraud, Data Leakage, Threat Intelligence

Formjacking: Credit Card Theft from Official Sites

By Andre Luiz R. Silva on

Ticketmaster and British Airways are two giants among the many e-commerce businesses that have been recently attacked by the (not-so-new) technique of formjacking. In short, the scam is an app with a malicious JavaScript or PHP code that captures client data at the checkout step. Like phishing, this type of attack merits our attention, since it’s one of the primary causes for leakage of credit card numbers. Moreover, it’s afflicted companies with serious financial losses and million-dollar fines.


What formjacking is and how it works

Generally, formjacking involves the insertion of malicious code into either PHP or JavaScript, which can occur on large as well as small websites. Formjacking happens in two ways: first, by direct action on the targeted site. 

The second, more “popular” variety, is called cross-domain script include and is activated through third-party scripts. So, once infected, just one script used by thousands of sites can yield massive amounts of stolen data.

Once the code has been inserted, the hackers receive a copy of all the data as soon as the victims click on “next” or “send” on the checkout pages. And all this happens quietly, without the consumer knowing it, because the purchase goes through normally after the criminal act. That’s why a theft such as this can often take months to be discovered, or to show up in data leakage or sales.

The trend is for the scenario to get worse, because the attacks are multiplying: Symantec (the Norton Antivirus company) blocked 3.7 million of these attacks in 2018—and more than a million in just the last two months of the year. 

Magecart: big-time attacks and million-dollar fines

Just last July (2019), British Airways was fined ₤183 million—approximately $229.2 million —under the General Data Protection Regulation (GDPR) for the leakage of the complete credit card numbers of 500,000 clients, which had occurred after a formjacking invasion in June of 2018. 

This is the largest fine that has been levied under the European regulation, and it emphasizes the need for commitment and responsibility on the part of companies with regard to their clients’ data.

The hackers responsible for the leakage belong to Magecart, a group of invaders specialized in inserting malicious code into e-commerce businesses that use the Magento platform from Adobe, which runs with PHP.


Data leakage: Be on the lookout!

It’s well known that code security weaknesses (that allow hacker invasions) are closely connected to data leakage. The information obtained can be disseminated or sold on the surface web and/or on the deep and dark web.

In the case of web attacks (whose purpose is to invade systems, to differentiate them from cons such as phishing), the F5 Networks security company has pointed out that formjacking is the category’s “champion.” This technique accounts for 71% of all data leakage stemming from hacking—and also—12% of all leakage.


Protection: before or after exposure?

The answer is: Both! Application Security (together with a good assessment of all third-party scripts used) is an extremely delicate and important area for anticipating problems and avoiding the type of breaches that British Airways suffered. (Not to mention the fines.) However, adequate monitoring and response are also indispensable parts for proper risk management in Information Security (InfoSec).

And the remediation must go beyond the data leakage itself. Notice how instructions and/or codes that can provide access to breaches may be available in collaborative repositories—and those can show their faces anytime.

If access to the breach occurs, it will then be necessary to have an effective data exposure monitoring and response tool. In these days of increased legal responsibility for data, it’s critical that companies exercise extreme care regarding their digital risks, both to protect their business and avoid fines. Reaction time is another determinant that can lead to the discovery of system flaws, and thus avoid more serious damage.

Axur serves companies that need help in dealing with digital risks such as data leaks. Using thousands of bots and artificial intelligence technologies, we scan the web in search of violations such as the ones you have just read about. Check the phishing solution and, for monitoring the deep and dark web, take a look at Threat Intelligence.



Eduardo Schultze, Coordenador do CSIRT da Axur, formado em Segurança da Informação pela UNISINOS – Universidade do Vale do Rio dos Sinos. Trabalha desde 2010 com fraudes envolvendo o mercado brasileiro, principalmente Phishing e Malware


Andre Luiz R. Silva

A journalist working as Content Creator at Axur, in charge of Deep Space and press activities. I have also analyzed lots of data and frauds here as a Brand Protection team member. Summing up: working with technology, information and knowledge together is one of my biggest passions!