To better understand the impact of formjacking on company resources and website visitors, we need to look at where the attacks happen and the best solution to prevent them.
When a visitor wants to view your website, a request is sent from their browser to your webserver, which responds by sending your HTML document back. This HTML document is, most of the time, sent through a familiar set of security applications such as: Web Application Firewalls (WAF) and/or Secure Connections (SSL, TLS), IP firewalls, etc.
What is worrisome about these attacks is they live outside the standard security perimeter. (WAF, SSL/TLS).
These attacks can sometimes stay undetected for months or years making detection only solutions worrisome: In one example, an attack which targeted a magazine printing platform and had been active since August 2017 was detected in February 2020 – a full 2.5 years later.
The silent nature of these attacks means your visitor is none-the-wiser. If your eCommerce site asks for credit card information somewhere in the checkout process, a visitor may not flag this behavior as suspicious; and because different sites have different checkout flows there’s no real way to let your visitor know that something is wrong.
Until recently, the idea of offering security within a visitors browser was a foreign concept. The focal point for website security was on preventing breaches and securing the web application itself.
This need comes with a cost: resources. The best way to alleviate resource cost is to find a product which handles detection and prevention automatically using machine learning and a constantly updating 3rd party database.