Siphoning data from the customer’s web browser to an attacker-controlled location, are most common web attack tactics
Online forms such as login pages and shopping baskets are increasingly hijacked by cybercriminals hunting for personal financial information (PFI), according to new research from F5 Labs.
F5 Labs’ Application Report 2019 examined 760 breach reports and discovered that formjacking, which siphons data from the customer’s web browser to an attacker-controlled location, remains one of the most common web attack tactics.
F5 Labs data discovered that the method was responsible for 71% of all analysed web-related data breaches throughout 2018.
“Formjacking has exploded in popularity over the last two years,” said Tabrez Surve, Regional Director – Gulf, Levant & Turkey, F5 Networks.
“Web applications are increasingly outsourcing critical components of their code, such as shopping carts and card payment systems, to third parties. Web developers are making use of imported code libraries or, in some cases, linking their app directly to third party scripts hosted on the web. As a result, businesses find themselves in a vulnerable position as their code is compiled from dozens of different sources – almost all of which are beyond the boundary of normal enterprise security controls. Since many web sites make use of the same third-party resources, attackers know that they just need to compromise a single component to skim data from a huge pool of potential victims.”
Breach data examined by F5 Labs found that 83 incidents in 2019 were attributable to formjacking attacks on web payment forms, impacting a total of 1,396,969 payment cards.
In terms of successful attacks, 49% occurred in the retail industry, 14% were related to business services and 11% focused on manufacturing. The transport industry was the biggest victim of formjacking attacks specifically targeting personal finance information, enduring 60% of all credit card-related theft during F5’s window of analysis.
While injection vulnerabilities are not new, F5 Labs believes that it remains a growing and evolving problem as shifting industry trends rapidly prompt new risks and the widening of attack surfaces.
According to the Exploit Database, 11% of newly discovered exploits in 2018 formed part of a formjacking attack chain, including remote code execution (5.4%), arbitrary file inclusion (3.8%) and remote CMD execution (1.1%).
“The injection landscape is transforming along with our behavior,” said Surve. “Adequately detecting and mitigating injection flaws now depends on adapting assessments and controls – not just fixing code. The more code we hand over to third parties, the less visibility and less control we have over it.”
To safeguard operations, F5 Labs recommends:
“Increasingly, organisations will begin to manage web injection risks in the form of security-oriented service level agreements,” added Surve. “The mitigation methods recommended in theApplication Protection Report 2019 are a good start, but it is vital to keep pace with morphing attacker mindsets and capabilities.”