Stay Alert for Holiday Formjacking

As always, there is a lot in security that demands our attention right now. Much of the discussion about the threat landscape in 2021 has (rightly) been about either ransomware or high-consequence vulnerabilities in enterprise software such as Accellion or Microsoft Exchange Server. Amidst all of this excitement, however, it has been easy to overlook the risk to e-commerce from formjacking attacks such as Magecart. However, as the holiday season approaches and online shopping ramps up, we can be sure that attackers haven't overlooked it, so here's a quick reminder about what this threat means to e-commerce organizations and what we can do about it.

In brief, formjacking is an attack type in which threat actors inject a malicious script into an e-commerce site that captures and exfiltrates credit card information from an online shopping cart. F5 Labs has been tracking formjacking attacks for several years as part of the Application Protection Report. While attackers have been using this technique against a progressively broader profile of targets than strictly e-commerce sites, including public utilities and professional organizations, e-commerce is still the prime target because that is where the most easy money is. In 2020, more than half of retail data breaches in the U.S. were attributable to formjacking attacks. One significant factor that makes them so popular is the potential to inject a script once against an outsourced payment platform provider, and have it be served to all of the target's customers, harvesting their customers' credentials. This extracts a huge amount of value for little work-a variation on the supply chain attack approach that has caused so much headache in the last few years.[i][ii]

Formjacking is appealing to cybercriminals because it is a way to quickly extract valuable and easily saleable data. Now, however, it stands to get an additional boost as a result of the growing trend of hacking-as-a-service and affiliate models. Most of the attention on this model at present is focused on Ransomware-as-a-service, since ransomware is such a rampant problem. This approach lets ransomware developers focus on development, and outsources every other part of the attack to affiliates (who often 'rent' the malware). However, this trend is not limited to ransomware. A growing number of intelligence sources indicate that specialization and division of labor in the attacker community is becoming more common and more intensive, meaning that there are now separate experts in gaining an initial foothold, establishing persistence, evading detection, and so on, whose services are all for sale.

This is particularly important for formjacking because the greatest degree of variation between Magecart variants lies in the methods of initial entry and detection evasion.[iii] As long as each formjacking threat actor needs to figure out every aspect of their own vector, this means that attack chains that are powerful in one stage might be hamstrung by limitations at another stage-e.g., that clever injection techniques might be undone by noisy exfiltration or an unsuccessful attempt to masquerade as a Google Analytics or Recaptcha script.[iv]

Now, as specialization and division of labor accelerate in the attacker community, there is the potential for each attack to feature the best practices in each phase of the attack chain. F5 Labs is exploring this phenomenon in greater detail as part of their ongoing research into the application threat landscape, but for the moment this serves as a timely reminder that formjacking is not yet a solved problem-if anything, it is a growing one.

Control Recommendations

There are a number of controls that apply in all scenarios that apply for formjacking as well: inventory, vulnerability scanning, patching, code testing, and log analysis. A WAF or WAAP capability is already mandatory for processing payment cards in the U.S. per PCI-DSS, even though some WAAPs might struggle to catch formjacking exploits, depending on the application architecture. Threat intelligence can also give you a heads up in terms of malicious domains delivering the scripts, if you have the bandwidth to act on such intelligence.

However, there are two technical controls that can mitigate much of the current threat that formjacking poses: Content Security Policies (CSP) and Subresource Integrity (SRI) checks. Both have significant capability to prevent the browser from loading malicious scripts that have been injected. Both also have the ability to break your site if they're not implemented or managed well. Fortunately, there is an abundance of advice and guidance about CSP and SRI, much of which comes from Troy Hunt and Scott Helme, two highly esteemed security researchers and the arguable champions of CSP.[v][vi]

Scott Helme, in particular, has launched a service named Report URI, which collects reports of policy violations for CSP (and many other web functions as well).[vii] Because CSP violations occur on the client side, getting visibility into how the policy is interacting with reality is useful in two respects: it will help you understand when an attack like formjacking or cross-site scripting (XSS) is happening, but it will also help you figure out what went wrong during the inevitable trial-and-error phase of rolling out a CSP.[viii] Helme also implemented a new feature for Report URI in June 2021 named Script Watch, which is essentially a real-time inventory of JavaScript running on your site, irrespective of its source. Script Watch is particularly powerful against some of the masquerading techniques that we've seen in the attacker community.

In short: with formjacking as prevalent as it is, every e-commerce site owner should at least evaluate CSPs and SRI to see if it works for them. They are free controls in that they are supported by all modern browsers, and are potential game changers if used correctly.

Evolved Defenses for Evolving Attacks

Formjacking is not the single most prevalent attack technique around, nor is it the most devastating. However, in terms of a coherent pattern between attacker, technique, and target, it is one of the most clear and focused. Attackers prefer payment cards to other kinds of stolen data because they are easily monetized. The holiday shopping surge is about as predictable as it gets in terms of target behaviors, which probably makes the next few months feel like a bit of a turkey shoot for attackers. We probably can't collectively reduce the risk of formjacking to zero, but with some situational awareness and a few extra controls, you can at least determine what happens on your own e-commerce site (which is, of course, a fine place to start).

_____

[i] For a technical discussion of how this kind of one-to-many attack unfolds in practice, see https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html.

[ii] Another example of using a supply chain as a Magecart vector is at https://www.trendmicro.com/en_us/research/19/a/new-magecart-attack-delivered-through-compromised-advertising-supply-chain.html.

[iii] Detection evasion in formjacking is fascinating, both in the form of masquerading such as in https://www.trendmicro.com/en_us/research/19/e/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada.html and in the 'tripwire' capabilities meant to prevent its detection by analysts, as in https://blog.malwarebytes.com/threat-analysis/2019/12/new-evasion-techniques-found-in-web-skimmers/ and https://sansec.io/research/magecart-tripwire.

[iv] To illustrate how an attack chain is dependent on its weakest link (like all chains), see Ben Baryo's piece from summer 2021 the evolution of a single Magecart attacker's script over a few years as their development prowess grew: https://www.perimeterx.com/tech-blog/2021/evolution-of-a-magecart-attack-leveraging-recaptcha-tech-domain/.

[v] Troy Hunt has a great video explainer on CSP here: https://www.troyhunt.com/understanding-csp-the-video-tutorial-edition/.

[vi] Scott Helme has a rundown of how CSPs apply to Magecart attacks here: https://scotthelme.co.uk/hardening-payment-forms-with-csp/.

[vii] https://report-uri.com/.

[viii] The CSP wizard will also help with initial testing: https://scotthelme.co.uk/report-uri-csp-wizard/.