What Is Formjacking?

Communicating in the age of the smartphone

Formjacking is a relatively new form of digital information theft caused by hacker attacks on commercial websites involved in banking, e-commerce and other activities that collect customers' personal information.

Many of the things you might like to call data thieves are unprintable, but it's accurate to include "innovative" with those less flattering descriptions.

When credit card issuers introduced chip cards to help thwart thieves' card skimmers, fraudsters came up with shimming as a way of stealing chip card data. And as consumers have become smarter about managing passwords and avoiding phishing scams, some cyber-crooks have come up with a software hack that can steal credit card numbers, security codes and expiration dates, along with other personal information, stealthily and undetectably as you shop.

An Especially Virulent Computer Virus

Formjacking came to light in late 2018 in a series of data security bulletins from Symantec, a maker of software that detects and blocks viruses and other attacks (including formjacking infections) on corporate computer systems and e-commerce and e-banking sites.

Symantec describes formjacking as software that does in the virtual world what card skimmers do in the real world: Just as a skimmer steals personal data from your physical credit card at the moment you swipe it at a gas pump or ATM, a site infected with formjacking code captures your data as you submit it to an online order form and transmits it to data thieves.

Like a card skimmer, a formjacked website does its dirty work without disrupting a legitimate transaction. When you place an order on a formjacked website, for instance, the sale goes through as expected, even as your data is transferred to the crooked hackers.

Criminals use viruses to insert formjacking code into commercial websites.

Symantec reports that hackers attempted more than 3.7 million formjacking attacks in 2018, and that roughly 4,800 sites are infected each month. Attacks have managed to penetrate even companies with strong cyber-defenses by making indirect "supply chain" attacks: By infecting smaller, less well-defended suppliers and partners of major e-commerce sites, hackers have managed to transmit viruses along with legitimate order processing.

Be Vigilant About Potential Data Compromises

When a site is infected with formjacking code, there are no telltale signs that anything has occurred. You cannot check for the kinds of clues that give away less sophisticated scams, such as bogus URLs and non-secure web connections (like those without "https://" in their URLs), so your best strategy—unless you're prepared to stop shopping online altogether—is to stay vigilant and watch for signs your data has been compromised.

  • Examine your credit card statements carefully each month for transactions you don't recognize, and alert your creditor immediately if you see any suspicious activity.
  • Keep an eye out for unexpected drops in your credit scores, which can be a sign of fraudulent activity, including unauthorized use of your credit card accounts and bogus credit applications made in your name.
  • Consider putting a security freeze on your credit files at all three credit bureaus (Experian, Equifax and TransUnion) to prevent fraudsters from attempting to open new accounts in your name.
  • Consider using a credit monitoring service that can proactively alert you about activity on your credit accounts before you even notice them yourself.

Corporate awareness of formjacking and the availability of software to detect and disable it means the problem will surely diminish over time. But as long as hackers keep inventing new forms of electronic theft, we'll all need to keep watch over our credit activities.