Formjacking explained: How hackers target online shoppers, virtually skim card details

Online shopping has grown exponentially around the world. Just in India alone, the e-commerce market is expected to hit $150 billion by 2022. Even as more and more consumers go online, cyber criminals are finding new ways to dupe users and steal their private data. The latest is 'formjacking', a new hacking technique that targets online shoppers.

Formjacking is essentially a virtual ATM skimming technique under which cyber criminals target website of a retailer by injecting malicious codes. These codes give away access to online shoppers' payment details including sensitive card details.

According to a latest Symantec report, more than 4,800 unique websites face formjacking attack every month. It also pointed out that there has been a rapid increase in number of such attacks in last one year. Hackers have also started selling card details and personal data on dark web.

"By conservative estimates, cyber criminals may have collected tens of millions of dollars last year, stealing consumers' financial and personal information through credit card fraud and sales on the dark web, with a single credit card fetching up to $45 in the underground selling forums," according to the report.

"Formjacking represents a serious threat for both businesses and consumers," said Greg Clark, CEO, Symantec.

"Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft. For enterprises, the skyrocketing increase in formjacking reflects the growing risk of supply chain attacks, not to mention the reputational and liability risks businesses face when compromised," he added.

ALSO READ: Large Indian firms lose about $10 million to cyber attacks each year

Some of the recent formjacking incidents involve British Airways, one of the biggest airline services in the world. In September last year, BA said credit card details of its hundreds of thousands of customers were stolen in a cyber attack on its website and mobile app. The airline disclosed over 380,000 card payments were stolen with hackers accessing critical data such as card number, email IDs, and expiry dates.

TicketMaster, a US-based ticket sales and distribution company, suffered a massive cyber attack in July last year affecting about 40,000 customers. Hackers used the formjacking method to attack the platform as part of widespread credit card skimming operation.

ALSO READ: 15,779 Indian websites hacked during January-November 2018, says IT ministry