Cyber criminals shift focus toward e-commerce sites: study

Cyber thieves are ramping up their use of malicious codes on e-commerce sites as a way to steal credit card information from consumers, according to a report released Wednesday.

Symantec's annual Internet Security Threat Report said that in 2018 hackers turned to what's known as "formjacking" in order to "steal credit card details and other information from payment forms on the checkout web pages of e-commerce sites." To achieve that, they used malicious JavaScript code, researchers found.

ADVERTISEMENT

"Requiring only a few simple lines of code loaded onto a website, formjacking represents a significant threat to online retailers, or any anyone who collects personally identifiable information from their customers via their website," Symantec said in its report. "On average, more than 4,800 unique websites are compromised with formjacking code every month."

The security firm said cyber criminals likely made at least tens of millions of dollars last year from this sort of attack.

Symantec said the rise in formjacking comes after hackers witnessed "diminishing returns" from other cyberattacks like ransomware and cryptojacking.

"Just 10 credit cards stolen from each compromised website could result in a yield of up to $2.2M each month, with a single credit card fetching up to $45 in the underground selling forums," the report says.

When a customer attempts to make a purchase online, the malicious code gathers all their entered data — payment card details, username, contact info — and sends that information to the hackers' servers, allowing them to commit fraud or even sell them on the dark web.

Symantec notes that while major companies like Ticketmaster and British Airways fell victim to malicious formjacking code in recent months, medium-size retailers tend to be the most widely compromised.

“Formjacking represents a serious threat for both businesses and consumers,” Greg Clark, CEO of Symantec, said in a statement. “Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft."

The report warned that despite the "great privacy awakening" following the Cambridge Analytica data scandal and Facebook's congressional hearings, cellphone privacy is also at risk.

"Smart phones could arguably be the greatest spying device ever created — a camera, a listening device and location tracker all in one that is willingly carried and used wherever its owner goes," the report said. "While already targeted by nation-states for traditional spying, smart phones have also become a lucrative means by which to collect consumers’ personal information, with mobile app developers existing as the worst offenders."