“Formjacking” is a type of client-side attack which manipulates a web page — within a visitor’s web browser, as they are visiting your website — in order to steal that visitor’s information. Formjacking attacks emulate the look and feel of your own website to leverage the trust you have built with your visitors and turn it against them. By introducing a new form offering a promotion, requesting additional account information for verification, or simply offering a survey, the attacker can extract any information they want directly from your visitor in their own web browser. This has the added benefit of skipping the difficult task of penetrating your existing web security technologies because it takes place in the browser, beyond the reach of traditional web security.

These attacks represent a significant 3rd party risk to organizations around the globe, they are on the rise and news continues to break of widespread campaigns and new methods utilized by adversaries.

The weak link in the digital supply chain is a tantalizing target for cyber attackers. In the case described by Unit24, all compromised real estate sites used the same 3rd party video service from a cloud video platform. 

Recently, Unit42 published an article detailing a specific formjacking attack which affected over 100 real estate sites via a single compromise. This specific attack was perpetrated via the web site’s supply chain and specifically the JavaScript used in the front-end of the website. JavaScript, the language that is used to make webpages interactive, is often used to implement functionality provided by a 3rd party. In this case, realtors used 3rd party code hosted on a 3rd party server to implement a video player within their webpages. This is a common practice in web development; webpages are often made up of thousands of lines of code authored by outside parties and hosted on outside networks.

The attackers in this case compromised the server holding that 3rd party code, modified it to contain a malicious form (i.e., the “formjacking” payload), and then waited for the stolen information to flood into their command-and-control servers. Because these hundreds of real estate websites were instructing their visitors’ web browsers to download and execute that malicious code, the attackers were able to strike at hundreds of thousands of visitors by compromising one server. Further, the compromised server was beyond these real estate businesses’ control; it was simply another link in the broad and deep JavaScript supply chain that makes up every web page on the Internet.

JavaScript supply-chain attacks can cause an immense amount of damage because one compromised piece of 3rd party code can lead to hundreds of seemingly unrelated websites being compromised. Worse still is that 3rd parties are only the beginning of the problem. It is common for a website to integrate many 3rd party vendors into their webpages to provide functionality like analytics, user behavior monitoring, advertising, etc. As is typical in many vendor relationships, these organizations may go through 3rd party risk assessments or other risk management controls before being integrated into the website. This, however, does not fully address the problem.

Third party code frequently requests and executes other code from other sources (in other words, 4th, 5th, 6th, etc. parties). An example of this might be an advertising service which sells ad space on a webpage. That service will sell the ad space in real-time and contact an ad server to retrieve actual contents of the advertisement. That advertising content is retrieved from a 4th party and executed in the visitor’s browser. That advertisement may then retrieve another script to analyze how the visitor interacts with the ad. The analytics code is retrieved from a 5th party server and executed, and so on. Because all of this functionality is implemented in JavaScript, and because JavaScript has no internal security model, any of that code becomes a problem for both the website which integrates it and that website’s visitors. 

Source Defense provides a real time, prevention first, client-side security platform to eliminate the risk associated with client-side JavaScript and prevent formjacking attacks from harming your visitors before they occur. Utilizing our unique isolation technology, Source Defense restricts what 3rd party code can do, and as a result, we can stop attacks from happening no matter where they may occur in the supply chain. Websites protected with Source Defense can integrate outside code into their online experiences quickly and easily and without burdensome pre-deployment investigation or on-going monitoring. For more information and to evaluate the potential risk to your website, check out our free, non-invasive website risk report today.