Photo: iStock
Photo: iStock

Hackers are on the prowl as you shop this festive season

  • Online shoppers, though, are not the only ones excited about this festive bonanza
  • Cybercriminals are as inspired as shoppers, and their tools are getting increasingly deceptive

E -commerce companies, including Amazon and Flipkart, are pulling out all the stops to try and lure users to buy more goods online this festive season by offering lucrative cashbacks, and no-cost EMIs on credit and debit cards.

Online shoppers, though, are not the only ones excited about this festive bonanza. Cybercriminals lurking behind proxies, are equally inspired—and their tools are getting increasingly deceptive. For instance, more than 4,800 websites were targeted in 2018 with a formjacking code every month on an average, according to a Symantec report published this month. While Symantec blocked over 3.7 million such attacks, it found that 33% of them were detected between November and December, when some of the biggest shopping festivals were on. India, with 5.7% of global detections, was the third-most affected country after the US and Australia.

A formjacking attack occurs when criminals inject a malicious JavaScript code on an important webpage, like the checkout page on an e-commerce website. When a user fills out the payment forms on the checkout web pages with their credit card details, these get sent to the merchant website but a copy is also sent to the cybercriminal who has injected the malicious script.

On an average, websites compromised in this way stay infected for 46 days. Consumers often don’t notice that they have become a victim of formjacking attack as it can happen on a trusted online store with the HTTPS padlock intact.

To be sure, most e-commerce platforms do not store credit card’s CVV numbers in their databases. So even if an attacker acquires a user’s credit card details they cannot make dubious online transaction without a CVV or a freshly-generated OTP. However, while these extra layers of security work in cases where a website’s database is targeted, formjacking is a bit different since every detail entered by users on the payment page is captured and sent to the remote server. “It doesn’t matter if the e-commerce sites store the CVV numbers or not, at the end of the day formjacking is not about stealing the information saved in a database. Instead, the attackers create a script that can directly send a copy of that information, including the CVV, to their servers," cautions Luis Corrons, security evangelist, Avast Security.

In addition to targeting outdated or vulnerable websites through formjacking, cybercriminals can go after the users directly by injecting malicious code into a vulnerable router or infect the PC or smartphone using a Trojan to create a backdoor on the device. As per reports, criminals are also exploring new techniques to exploit and inject malicious codes on layer 7 routers used at high traffic locations such as hotels and airports to steal card details.

Sarvesh Kumar Sharma/Mint
Sarvesh Kumar Sharma/Mint


In an October report, researchers at IBM X-Force and Intelligent Services claimed that a group has been testing malicious scripts on L7 routers to steal credit card details from online transactions through client side-injected JavaScript. The group uploaded the malicious files on Virus Tool, a web-based antivirus aggregator, to check if they will be detected by antivirus tools built into the aggregator.

Typically, it’s small- and medium-sized online stores that are compromised. But researchers at Symantec note that sometimes even the big ones have fallen victim to formjacking. For instance, big e-commerce and booking platforms by Ticketmaster, British Airways, Feedify, and Newegg have been targeted by a criminal organisation called Magecart.

Candid Wueest, senior principal threat researcher at Symantec, says fairly often the website is not even compromised directly. We have seen a lot of them being compromised because they store the entire website or a few scripts on hosting clouds. And if they are not well configured and rideable it becomes easier for hackers to find the bucket and update it.

Wueest notes, “Also, we have seen a smaller company, like an advertisement firm or analytic firm, getting compromised. Big stores very often have 10 to 20 different third party scripts on their websites for analytic purposes or for getting advertisements. So if the main source is compromised, they are compromised as well."

Close