I recently saw a news article published by Symantec stating that cyber criminals are shifting their attack techniques. According to Symantec, “For the first time since 2013, ransomware infections declined, dropping by 20 percent.” Due to the sharp decline in the price of cryptocurrency, attackers are increasingly interested in formjacking attacks, such as MageCart, rather than simply detonating ransomware inside corporate environments and asking for ransom to paid via bitcoin.

This is very interesting. As in my previous blog post, Kaspersky drew a similar conclusion. I talked about how to leverage deception to effectively detect ransomware. In this post, I will discuss how we could use deception based detection solution to fight formjacking attack.

Formjacking is a relatively new term in cyber security. In Symantec’s definition, “Formjacking attacks are simple – essentially virtual ATM skimming – where cyber criminals inject malicious code into retailers’ websites to steal shoppers’ payment card details.“  Symantec claims more than 4,800 unique websites are compromised with formjacking on a monthly basis, and almost one third of the attacks in 2018 happened during the busiest shopping reason, Nov and Dec. This is absolutely shocking!

The worst part about formjacking is that neither the website administrator nor the online shoppers are aware that credentials are being stolen from the website. Unlike ransomware, which is detectable when encryption starts or the ransom note is shown, formjacking can hide itself inside the web server and secretively collect credit card information for months before anybody notices. Once website code is published, it is generally not checked again until the next update is made. In the meantime, the actual e-commerce transaction goes through as if nothing has happened without any business interruption. From the customer’s perspective, they simply continue shopping online and probably realize their credit card information has been stolen until days or weeks later. This type of delayed alerting makes it extremely difficult to track.

In my opinion, formjacking is an even more powerful and dangerous attack than ransomware for following reasons.

  • It’s extremely hard to detect and has much longer dwell time in corporate environments.
  • It’s becoming increasingly popular and attractive to hackers because of the high yield. (According to the article, with a single credit card fetching up to $45 in the underground selling forums, attackers get get up to $2.2M each month)
  • It can deeply hurt both the business reputation of the ecommerce website and the customer’s personal identity.

This really puts ecommerce websites and online retailers under pressure. The most recent famous victims include Ticketmaster and British Airways. Over 380,000 credit cards were stolen in the British Airways incident alone, according to Symantec.

If we take a step back and think about the typical attacker workflow, we can see how a Deception based solution could be a perfect tool to fight back. Let me explain how. We all know most of the corporate breaches start from user endpoint, their laptop and workstation, which are the most vulnerable components in corporate security. Once an attacker compromises an endpoint and establishes their beachhead, they will start looking for high value targets inside the victim network. In the Formjacking scenario, the target is the web servers in the data center. From a compromised endpoint, they will try to move laterally into the web farm, where they can inject the malicious code. Once they achieve that, it’s mission accomplished.

Enterprise customers could deploy deception based detection solution in the following places to catch and detect the attacker activity.

First, enterprises  could also set up a number of fake web servers (called decoys) throughout the entire web farm. An ecommerce website typically consists of multiple web servers, sometimes even hundreds or thousands.  Even if the attackers safely land on the web server without being detected, it is in their best interest to deploy their malicious code into as many web servers as possible. It is, therefore, very likely they will eventually try to do so on one of the fake systems as they navigate through the web farm, which will trigger an alert immediately.

Second, enterprises could generate breadcrumbs, fake artifacts meant to lead adversaries to decoys, and distribute them across endpoints in the environment. Breadcrumbs can be of various types, including SMB file shares, saved RDP/SSH sessions and credentials, etc. These are the typical clues attackers look for in their search for high value targets; in this case, the web servers. In case any of the endpoints get compromised, those breadcrumbs could serve as bait leading attackers to one of the intentionally placed decoys (instead of real web server). Once an attacker connects to the decoy, the deception solution immediately identifies them and various types of responses can be initiated.

Using deception is probably the most effective way to combat formjacking attacks. It is completely out-of-band, no interruption to regular production traffic, and provides very fast and accurate detection. It can significantly reduce the attacker dwell time and help e-commerce websites provide secure and safe transactions to its customer. Acalvio ShadowPlelx is a leading deception platform which can help you easily setup web decoys and breadcrumbs in your environment, as described above, whether you are hosting this on-prem or in the cloud. If you are concerned about formjacking attacks, please contact us for more information!