Formjacking accounted for 71% of all web-related data breaches in 2018 as hackers looked to steal customers’ financial information in large quantities, according to F5 Labs.
The security vendor’s Application Report 2019 is compiled from analysis of 760 breaches and revealed that attacks like those featuring Magecart digital skimmers are on the rise.
Already this year, there have been 83 reported attacks on web payment forms, compromising over 1.3 million payment cards, the firm claimed.
The transport industry was the biggest victim of formjacking attacks, accounting for 60% of all credit card-related theft during the reporting period, followed by retail (49%), business services (14%) and manufacturing (11%).
The report also revealed that 11% of newly discovered exploits in 2018 were part of a formjacking attack chain, including remote code execution (5.4%), arbitrary file inclusion (3.8%) and remote CMD execution (1.1%).
David Warburton, senior threat evangelist at F5 Networks, argued that formjacking attacks have “exploded in popularity” over the past two years.
“Web applications are increasingly outsourcing critical components of their code, such as shopping carts and card payment systems, to third parties. Web developers are making use of imported code libraries or, in some cases, linking their app directly to third party scripts hosted on the web,” he explained.
“As a result, businesses find themselves in a vulnerable position as their code is compiled from dozens of different sources – almost all of which are beyond the boundary of normal enterprise security controls. Since many web sites make use of the same third-party resources, attackers know that they just need to compromise a single component to skim data from a huge pool of potential victims.”
This is what happened with several of the major Magecart attacks, including one targeted at a French advertising agency, and another which struck a digital supplier of Ticketmaster.
“The injection landscape is transforming along with our behavior,” said Warburton.
“Adequately detecting and mitigating injection flaws now depends on adapting assessments and controls – not just fixing code. The more code we hand over to third parties, the less visibility and less control we have over it.”