Researchers at cybersecurity company Symantec have identified a new formjacking campaign targeting a French ecommerce site that is prominently featured in global shopping aggregator listings.

Over 30 online retail websites from all over the world were redirecting traffic to the compromised site.

Formjacking is a term used to describe the injection of JavaScript code into the payment section of a website. This code then skims the payment details of unaware customers sending it onto to threat actors to abuse.

The online-store in Paris was injected with a formjacking script which collects the payment information entered onto the website and then sends it to the domain google-analyitics.org; a “typo-squatted” version of the genuine url google-analytics.com.

Another piece of injected code on the same web page looks for the presence of debugging tools, such as Firebug, to thwart security researchers analysing the malicious script; a trend security researchers have increasingly noticed.

See also: Magecart’s 7 Groups: Hackers Dropping Counter-Intelligence Code in JavaScript Skimmers

Siddhesh Chandrayan Threat Analysis Engineer at Symantec wrote: “This latest formjacking campaign highlights the fact that attackers are continuously altering and improving their malicious code and exploring new delivery mechanisms to infect more users.”

Symantec researchers say they have identified more than one million formjacking attempts on over 10,000 websites in the last three months alone.

Formjacking

Symantec told Computer Business Review that the scammers had also hacked other ecommerce websites to redirect visitors to the compromised site.

He believes that the Paris site was selected as a target because it is listed in several shopping aggregators.

Formjacking

Traditionally attackers have targeted retail websites through the software provided by third-parties, as these often contain the weak link in the security chain.

Last summer it was disclosed that Ticketmaster was the subject to a serious cyberattack in which threat actors made off with the payment details of over 40,00 UK customers. A chat-bot designed by third-party supplier Inbenta was identified as the source of the vulnerability.

A report from cybersecurity enterprise RiskIQ identified Magecart tactics and script in the attack, which saw a massive credit card skimming operation that affected over 800 e-commerce websites.

In their report RiskIQ noted that: “Magecart actors breached their systems (Ticketmaster) and, in separate instances, either added to or completely replaced a custom JavaScript module Ibenta made for Ticketmaster with their digital skimmer code.”

See Also: The Ticketmaster Hack is Worse Than First Thought

Unfortunately one of the key factors in formjacking or script payment skimming attacks is that retailers and customers may not be aware that their website and details are compromised. Websites and payment forms operate as normal if the attackers have done their job right.

One way enterprise can protect themselves is to test any new software updates in small test environments. Doing so gives you a chance to spot any unusual behaviour in the script.Software distributors who supplier major retailers with products should have monitoring systems in place that detect any changes in their code or in the updating process itself. Symantec is currently working with the websites involved in this new formjacking attack and so they have not named the websites affected.