What is formjacking? New cyber security scam is on the rise

CHICAGO (WLS) -- Formjacking can make you a victim on any website, and even some of the most secure sites can be vulnerable. The worst part about this new scam is you don't even know you're a victim until it's too late.

You could be shopping, or filling out a job application or a government form on what you think is a secure website. But it isn't.

"The attacker figures out how to put malicious code on to their website and that malicious code will steal your information," said Andrew Hoog of Chicago-based cybersecurity company Now Secure.

As you're entering sensitive information in an online form, a thief or hacker could actually be lifting it. Experts call the practice formjacking.

"Formjacking is basically a digital version of a credit card skimmer that criminals might attach to a ATM to capture people's card information," explained Justin Martino, senior editor of ConsumerAffairs.com. "It's basically a piece of digital code that's injected into an otherwise legitimate website that will record the digital information that you input on the site, including your credit card information, social security number, bank account number, or anything similar to that.

According to a 2018 report by Symantec, formjacking increased almost 117 percent when comparing the same week in August and September of that year.

"It can hit any website out there so they have to be constantly vigilant of their application code and all of the vendors they use on their website," said Hoog.

Hoog said businesses and website owners can fight off formjacking with ongoing security, but that there is little you can do as a consumer.

"Your transaction goes through. You didn't realize anything was different but behind the scenes the attackers were able to get your private information," Hoog explained.

"So it's definitely on the rise and part of the reason it's on the rise is because there's really no good defense because you can't tell if the website has been compromised," Martino said.

"An anti-virus may not catch this, they may catch a small percentage of them," warned Hoog.

You can get a credit card designated for only online purchases, which can help you streamline those transactions and keep a watchful eye on them. Doing so also means if your credit card is compromised online, you can retain the card you may use for recurring charges in stores or on other bills

"The easiest way for most people is just to be vigilant and check your credit card statements, your debit card statements each month," adds Martino. "Make sure that there aren't any charges that you didn't put on there. It's always helpful to monitor your credit score because if your social security number is stolen, it's likely you will see your credit score drop as they use your information to make a multitude of new accounts."

Now Secure said you can also ditch the desktop and instead enter personal info on secure mobile apps, then add a more modern form of payment.

"If you are using Apple Pay and Google Pay, it is probably the highest level of security," Hoog said. "If you are using a standard mobile application you will have a higher level of security than a standard website."

But he added that even apps can be targeted in a similar way, a much less common form of the scheme which can be called "appjacking."

So how are hackers able to do any of this? Tech experts say formjackers are getting to your favorite mainstream websites through third parties.

"If you go to website and go to customer service chat box, most of the times that's from a smaller company," Hoog said.

Security experts say you can also ask your credit and debit card companies to give you a special digital number for online transactions. That way if the information is compromised, you can retain the physical card and your original card number.
Copyright © 2021 WLS-TV. All Rights Reserved.