Formjacking has emerged as the latest attack of choice for cybercriminals looking to make a quick buck.

Edward Gately, Senior News Editor

February 27, 2019

11 Min Read
Security Roundup

Move over ransomware, formjacking has emerged as the latest attack of choice for cybercriminals looking to make a quick buck.

That’s according to Symantec’s 2019 Internet Security Threat Report, with details on the latest trends in cybersecurity, including cryptojacking, ransomware, cloud and the breakthrough threat of 2018: formjacking.

On average, 4,800 websites were compromised every month, and tens of millions of dollars may have been stolen as a result of formjacking attacks in 2018.


Symantec’s Kevin Haley

To get the lowdown on formjacking attacks, we spoke with Kevin Haley, Symantec‘s director of product management for security response.

Channel Futures: What is formjacking?

Kevin Haley: The easiest way to think about formjacking is to compare it to a real-world skimmer where the bad guys will take a little hardware device and they’ll put it on top of the credit card reader on an ATM or on a gas pump, and that way you go in there and you pay for gas, the retailer gets your number, the gas is paid for, but the bad guy also gets your credit card number and then can resell it. The virtual equivalent of that is formjacking, where instead of putting hardware on a web server, they’re inserting Java script malicious code into that web server so when they use [that] to make a purchase and enter their credit card information, that credit card information goes to the retailer and pays for the goods, but the bad guy has also captured a copy of it and now he has that information in order to resell it in the underground marketplace.

CF: Why has formjacking become so popular?

KH: Because it’s easy to do and so you can make a nice profit from it. You can get rich quick. That’s why people will get into cybercrime, right? Not to work hard, but to get rich quick. Somebody figured out how to make the money and then other people say, “Wow, you’re making money doing that; I’m going to do it too.” So you begin to see it grow.

CF: What types of organizations are being targeted by formjacking?

KH: It is retailers, people you can go and buy something from online, where you’re going to enter your credit card. And when you think about it, when you’re doing a purchase on the web as opposed to in real life, you’re not only putting all the credit card information in, but that CVV code on the back; we always happily enter that when we’re purchasing on the internet as well, so that makes it even more valuable. There have been some examples of very large retailers that have gotten hit, but we’re seeing most of them really happening to small and medium, and they’re less likely to get detected. They may not get as many credit cards in a day, but they could stay there a very long time.

CF: Is it difficult for organizations to protect themselves from formjacking? They would first have to detect that it’s happening and then get rid of it, or maybe there’s a preemptive way to stop it?

KH: There [are] a couple of things working against them. First of all, it doesn’t take a lot of lines of code, and if the bad guy can get onto your website via a vulnerability or bad password management, it’s easy enough for them to insert those couple lines of code and hide it on the site. They also have, in some cases, taken advantage of third-party software. A lot of sites are not creating all the software themselves; they’re licensing different parts of that, maybe a chat program or survey, so those websites are not being written from scratch by the retailer. There [are] various third parties feeding it, and if you get into one of the third parties where the malware gets installed along with the app, the website owner’s probably …

… none the wiser. So that’s really where they’re vulnerable: No. 1, the security of the website itself, and No. 2, the fact that third-party apps are often used on these sites.

CF: Does formjacking present a challenge or opportunity for security providers in the channel, with smaller organizations being targeted because their security may not be as strong as larger organizations?

KH: Absolutely. This is another thing that these smaller players need help with, that need the expertise coming from partners to help them protect themselves. There are things they can do around testing. These updates from some of the vendors they use for their website can monitor for suspicious behavior and look for code that’s maybe malicious and has been embedded on the site. They can protect against changes that are made to some of their content policies. But all of those things are probably well beyond the capability of the average retail site that’s running the web server. So they’re going to need help in protecting themselves against this.

CF: What are some other noteworthy findings of this report?

KH: We actually talk about overall attack numbers from ransomware and cryptojacking, which was a big deal last year — those numbers are going down, and that’s good. But what we’ve seen then, is as it goes down, the shift by the attackers has been to go after businesses. So ransomware in general is down, but there was actually a 12 percent increase in attacks against businesses — so that whole drop in attacks was consumer-[related] and businesses are actually more susceptible. And cryptojacking — we see attackers are going after organizations and businesses – again, as opposed to consumers – because they have more machines and more powerful machines. So again, those numbers are dropping, but that means the attacks are concentrating more toward businesses, and people are going to need help and good security partners to help protect them against those.

CF: Based on the report, is this year shaping up to be different than last year and previous years in terms of the threat landscape?

KH: In some ways yes, in some ways no. If we talk about last year or the year before, that was about people trying to get rich quick using cryptojacking. I think we’re going to see that now in formjacking. So it’s similar in that people are going to try to make money; the bad guys are doing this to make money, but it’s different in that they’re going to move on to whatever the latest thing that appears to give them the opportunity to make that money — and that appears to be formjacking.

SecBI Debuts New Tool for MSSPs

SecBI has unveiled an automated threat detection and response offering designed to help MSSPs maximize their productivity and scalability.


SecBI’s Gilad Peleg

The solution automates both threat hunting – based on comprehensive network traffic analysis – and breach response. It offers: improved analyst productivity; automated and improved detection and remediation; integration with existing infrastructure; ease of scalability, with cloud-based, multitenant deployment; and deployment with minimal ramp-up time.

SecBI delivers automated threat detection and investigation for security operations centers (SOCs) and MSSPs.

“With cyberattacks becoming commonplace for every business size, the MSSP market is set to take off,” said Gilad Peleg, SecBI’s CEO. “However, the most successful MSSPs will be those that possess advanced breach detection and remediation expertise, as well as the tools to scale and increase …

… resource productivity. Providers will benefit greatly from the ability to automate threat detection and response tasks.”

SecBI provides full scope detection, creating a comprehensive view of each cyber incident by combining disparate alerts, events and logs into a single narrative that shows all the affected entities and kill chain, the company said. Finally, the solution delivers gap analysis that identifies network security blind spots and implements fixes.

“Traditional security services are no longer capable of uncovering malicious communications within minutes,” Peleg said. “Having a team of analysts manually review logs from a security information and event management (SIEM) is simply no defense against the types of sophisticated, stealthy and unknown threats we are now seeing.”

Security Pros: Cloud Business Moving Too Fast for Security

A FireMon survey of more than 400 information security professionals uncovered three primary areas of concern: cloud business and cloud security are misaligned; existing security tools can’t handle scale and complexity; and a lack of security budget and resources.

Some 60 percent of respondents either agree or strongly agree that cloud-based business initiatives are accelerating faster than security organizations’ ability to secure them.

Other findings include:

  • Forty-four percent said IT/cloud teams, application owners or other teams outside the security organization are responsible for cloud security.

  • Thirty percent said their relationship with DevOps is either complicated, contentious, not worth mentioning or nonexistent.

  • Nearly 45 percent said their top three challenges for securing public cloud environments are: lack of visibility, lack of training and lack of control.

  • Almost 58 percent said less than one-quarter of their security budget is dedicated to cloud security.


FireMon’s Kurt Mills

Kurt Mills, Firemon’s vice president of worldwide channel sales and operations, tells us the survey results actually weren’t surprising; instead, they validated many “hybrid cloud security challenges that we have seen through our work with thousands of customers,” he said.

“We have seen firsthand how enterprise business requirements have accelerated beyond IT teams’ ability to secure them,” he said. “Organizations are struggling to determine who has responsibility for cloud security – IT/security teams, DevOps personnel, app owners, business teams [and so on]. And achieving visibility of all assets across hybrid cloud environments remains elusive.”

The survey results present “tremendous opportunity” for MSSPs and other channel companies, Mills said.

“First and foremost, organizations need better visibility across hybrid infrastructures,” he said. “You can’t protect what you can’t see, and it’s no longer satisfactory to only have an understanding of on-premises assets or those in a data center. Visibility must extend to virtual and multicloud environments, and it must be in real time, as enterprise environments are constantly changing. These are new challenges to enterprises, and MSSPs and security providers need to help guide them through the process of resolving these obstacles.”

Enterprises also need better collaboration among business, DevOps and security teams when it comes to …
… global security policy, Mills said. Right now, DevOps and business teams are deploying new apps and cloud initiatives without waiting for security teams to implement the proper security and compliance rules, which introduces “tremendous risk,” he said.

“MSSPs and channel companies have an opportunity to help organizations unite business, DevOps and security teams, and enable security to move at the speed of business by offering global policy management solutions founded on an intent-based security model,” he said. “Intent-based security shifts the focus of access rules and policies away from enforcement points and toward the business, security and compliance intent of each app, asset and resource. Non-security personnel determine the business intent of applications and security personnel define the security and compliance intent, and then all three are aligned, so policy changes can be fully automated and meet the needs of all parties.”

Palo Alto Networks Debuts New Continuous Security Platform

Palo Alto Networks has unveiled three advancements using advanced artificial intelligence (AI) and machine learning, designed to transform how security will be managed in the future.

Cortex is an open and integrated, AI-based continuous security platform. Deployed on a global, scalable public cloud platform, it allows security operations teams to speed the analysis of massive data sets.

Cortex XDR is a detection, investigation and response product that natively integrates network, endpoint and cloud data. It uncovers threats using behavioral analytics, accelerates investigations with automation and stops attacks before damage is done through tight integration with existing enforcement points.

And Traps endpoint protection and response now includes a behavioral threat protection engine that stops advanced threats in real time by stitching together a chain of events to identify malicious activity.


Palo Alto Networks’ Gonen Fink

Gonen Fink, Palo Alto’s senior vice president of behavioral analytics, tells us managed service providers can build value-added services around Cortex, starting with Cortex XDR for detection, investigation and response that breaks silos with data integrated across endpoint, cloud and network.

Cortex XDR in combination with MSPs will deliver round-the-clock monitoring, analysis and coordinated response to secure customers’ most critical assets, he said.

“With Cortex, managed service partners will be able to generate new revenue streams and build a variety of services around Cortex XDR, from risk assessment to compliance, as well as maximize their resources by automating manual processes across all program levels (diamond innovator, platinum innovator and innovator),” Fink said. “Cortex XDR will empower managed service partners to disrupt the EDR market and open up more areas for them to deliver the services expertise that our customers need for effective threat hunting and incident response.”

Read more about:


About the Author(s)

Edward Gately

Senior News Editor, Channel Futures

As news editor, Edward Gately covers cybersecurity, new channel programs and program changes, M&A and other IT channel trends. Prior to Informa, he spent 26 years as a newspaper journalist in Texas, Louisiana and Arizona.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like