Researchers at cybersecurity company Symantec have identified a new formjacking campaign targeting a French ecommerce site that is prominently featured in global shopping aggregator listings.
Over 30 online retail websites from all over the world were redirecting traffic to the compromised site.
The online-store in Paris was injected with a formjacking script which collects the payment information entered onto the website and then sends it to the domain google-analyitics.org; a “typo-squatted” version of the genuine url google-analytics.com.
Another piece of injected code on the same web page looks for the presence of debugging tools, such as Firebug, to thwart security researchers analysing the malicious script; a trend security researchers have increasingly noticed.
Siddhesh Chandrayan Threat Analysis Engineer at Symantec wrote: “This latest formjacking campaign highlights the fact that attackers are continuously altering and improving their malicious code and exploring new delivery mechanisms to infect more users.”
Symantec researchers say they have identified more than one million formjacking attempts on over 10,000 websites in the last three months alone.
Symantec told Computer Business Review that the scammers had also hacked other ecommerce websites to redirect visitors to the compromised site.
He believes that the Paris site was selected as a target because it is listed in several shopping aggregators.
Traditionally attackers have targeted retail websites through the software provided by third-parties, as these often contain the weak link in the security chain.
Last summer it was disclosed that Ticketmaster was the subject to a serious cyberattack in which threat actors made off with the payment details of over 40,00 UK customers. A chat-bot designed by third-party supplier Inbenta was identified as the source of the vulnerability.
A report from cybersecurity enterprise RiskIQ identified Magecart tactics and script in the attack, which saw a massive credit card skimming operation that affected over 800 e-commerce websites.
Unfortunately one of the key factors in formjacking or script payment skimming attacks is that retailers and customers may not be aware that their website and details are compromised. Websites and payment forms operate as normal if the attackers have done their job right.
One way enterprise can protect themselves is to test any new software updates in small test environments. Doing so gives you a chance to spot any unusual behaviour in the script.Software distributors who supplier major retailers with products should have monitoring systems in place that detect any changes in their code or in the updating process itself. Symantec is currently working with the websites involved in this new formjacking attack and so they have not named the websites affected.