At least 5,600 shoppers of the Sportswear brand, FILA, could have had their personal data compromised on the UK website, as a result of a rogue script. The site may have been infected since November 2018 and becomes the most recent breach in a string of similar attacks on other brands, including Ticketmaster, British Airways, OXO and Newegg.
How Did the Attack Happen?
Attackers used a method called “Formjacking” to intercept customer information, adding a malware script dubbed by Russian security house, Group-IB, as ‘GMO’ due to its unique domain (gmo[.]li). It’s possible that this unknown Javascript was active on the fashion brand’s website for the past four months, obtaining the card information of thousands of online shoppers.
What is Formjacking?
Formjacking is a method of data theft, mainly used to steal card details and personal information from e-commerce sites during the payment stage of a transaction. When a customer submits all the relevant payment information onto the payment form of an e-commerce site, the malicious JavaScript that has been injected by cyber criminals, kicks into action. It essentially collects any information that has been entered onto the page and sends it to the attackers’ servers where they can then perform payment card fraud or sell it off to a third-party.
Dmitry Volkov, CTO at Group-IB said:
“Cybercriminals might have injected a malicious code by either exploiting a vulnerability of Magento CMS (Content Management System), used by FILA.co.uk, or simply by compromising the credentials of the website administrator using special spyware or cracking password with brute force methods,”
A Rising Trend
This is not a new technique, but has grown in popularity since August 2018, affecting a number of high-profile retailers and further illustrating the dangers of supply chain attacks. As formjacking only requires a few simple lines of code to be loaded onto a website, it could represent a significant threat to online retailers and any organization that collects, processes, stores or transmits sensitive customer details. It highlights poor due diligence by online retailers who aren’t adequately assessing their ecommerce platforms, or failing to control access to their valuable online assets.
Nicholas Palmer, vice president of international business at Group-IB said:
“People should understand that, despite its simplicity, JavaScript Sniffers shouldn’t be underestimated,” Palmer told Ars. “Ticketmaster, British Airways, and Fila proved that any e-commerce business around the world is vulnerable to this type of attack. And not only online stores get affected, but also payment systems and banks whose clients suffer from payment data leaks.”
How to Protect Your Customers from Formjacking
Reduce the impact of a data breach and take the worry of malicious online attacks away from your organization. By taking any sensitive data associated with the organization “out of scope” and removing it from their network and environment, serves as an effective way of avoiding this form of attack. This can be done using a third-party secure payment solutions provider, such as Key IVR, who offer an industry leading secure web payments platform and ensure valuable card details are processed safely and securely. Take a look at our Secure Web Payment solutions, alternatively contact a member of our team on +44 (0) 1302 513 000 or email sales@keyivr.com
