Last Updated: 12th September, 2019
Formjacking accounted for 71% of all web-related data breaches in 2018 as hackers liked to steal customers’ financial information in large quantities, according to F5 Labs.
The security vendor’s Application Report 2019 is compiled from an analysis of 760 breaches and revealed that attacks like those featuring Magecart digital skimmers are on the rise for most of Web Data Breach Infringements.
Already this year, there have been 83 reported attacks on web payment forms, compromising over 1.3 million payment cards, the firm claimed about Web Data Breach Infringement.
The transportation industry was the biggest victim of formjacking attacks, accounting for 60% of all credit card-related theft during the reporting period, followed by retail (49%), business services (14%) and manufacturing (11%).
The report also revealed that 11% of newly discovered exploits in 2018 were part of a formjacking attack chain, including remote code execution (5.4%), arbitrary file inclusion (3.8%) and remote CMD execution (1.1%).
David Warburton, senior F5 Networks threat evangelical pastor, asserted that formjacking attacks over the earlier two years have “picked up steam.”
“Web application outsource key components of their code to third-party vendors progressively, like those of shopping carts and card payment systems. Web developers use imported code libraries or, in some instances, directly link their app to web-hosted third-party scripts,” he mentioned.
“As a consequence, organizations are in a fragile situation as their code is compiled from dozens of distinct sources-nearly all of these are beyond the scope of ordinary corporate security controls. Since so many websites are using the same third-party resources, attackers understand they only need to compromise a single element to browse information from a vast pool of prospective victims.”
This is what happened with several of the major Magecart attacks, including one targeted at a French advertising agency, and another which struck a digital supplier of Ticketmaster.
“Together with our conduct, the injection landscape is transforming,” Warburton said.
“Adequately detecting and mitigating injection flaws now depends on adapting assessments and controls – not just fixing the code. The more code we handed over to third parties, the less visibility and less control, we have over it.”