To better understand the impact of formjacking on company resources and website visitors, we need to look at where the attacks happen and the best solution to prevent them.
The Flow
When a visitor wants to view your website, a request is sent from their browser to your webserver, which responds by sending your HTML document back. This HTML document is, most of the time, sent through a familiar set of security applications such as: Web Application Firewalls (WAF) and/or Secure Connections (SSL, TLS), IP firewalls, etc.
Once received by the visitor’s browser, references to 3rd Party JavaScript are interpreted, executed, and the website becomes whole. The 3rd Party JavaScript may be used for tracking page views and clicks, producing advertisements specific to your visitor’s interests, or provide enhanced social media functions to the page.
The Attack
The 3rd Party JavaScript servers are the source of the formjacking attacks. Not all JavaScript is at risk and not all servers are vulnerable. However, because JavaScript, as a rule, has full DOM (document object model) access, any 3rd Party JavaScript hosted on a foreign server can become the catalyst for these attacks.
What is worrisome about these attacks is they live outside the standard security perimeter. (WAF, SSL/TLS).
These attacks can sometimes stay undetected for months or years making detection only solutions worrisome: In one example, an attack which targeted a magazine printing platform and had been active since August 2017 was detected in February 2020 – a full 2.5 years later.
The silent nature of these attacks means your visitor is none-the-wiser. If your eCommerce site asks for credit card information somewhere in the checkout process, a visitor may not flag this behavior as suspicious; and because different sites have different checkout flows there’s no real way to let your visitor know that something is wrong.
The Impact
Until recently, the idea of offering security within a visitors browser was a foreign concept. The focal point for website security was on preventing breaches and securing the web application itself.
The need to extend security to a visitors web session should be at the forefront of both internal and external discussion with development and security teams. Groups such as Magecart will continue to exploit 3rd Party JavaScript to the detriment of your visitors.
This need comes with a cost: resources. The best way to alleviate resource cost is to find a product which handles detection and prevention automatically using machine learning and a constantly updating 3rd party database.
The Solution
Source Defense’s VICE offers real-time formjacking prevention, detection, and reporting for any 3rd Party JavaScript you may use now or in the future.
By policing what your 3rd Party JavaScript can and cannot do, VICE protects your visitor from vulnerabilities which they have no control over; forms are secure and their information is safe.