Consumer Payment Card News

Cyber Crooks Develop Formjacking to Capture Customer Credit Card Details via E-Tailers

Cyber crooks are getting bored while becoming more sophisticated, driving online shoppers and online retailers crazy. The latest criminal scheme is injecting malicious code into retailers’ websites to steal shoppers’ payment card details. Formjacking attacks are more ambitious, destructive, and stealthy.

Cyber Crooks Formjacking

While a number of well-known retailers’ online payment websites, including Ticketmaster and British Airways, were compromised with formjacking code in recent months, small and medium-size retailers are, by and large, the most widely compromised.

Symantec, the top cyber security company, says its research reveals cyber criminals may have collected tens of millions of dollars last year, stealing consumers’ financial and personal information through credit card fraud and sales on the dark web. Just 10 credit cards stolen from each compromised website could result in a yield of up to $2.2 million each month, with a single credit card fetching up to $45 in the underground selling forums. With more than 380,000 credit cards stolen, the British Airways attack alone may have allowed criminals to net more than $17 million.

Symantec’s latest Internet Security Threat Report also discovered:

  1. Nearly one in ten targeted attack groups now use malware to destroy and disrupt business operations; up 25% compared to 2017
  2. Attackers enhance tried-and-tested tactics including spear-phishing, hijacking legitimate tools, and malicious email attachments
  3. Enterprise ransomware infections jumped by 12%
  4. Cloud resources are increasingly easy targets for digital thieves with more than 70 million records stolen or leaked from poorly configured S3 public cloud storage buckets
  5. More attackers display interest in compromising operational and industrial control systems with the potential for sabotage


In recent years, ransomware and cryptojacking, where cyber criminals harness stolen processing power and cloud CPU usage from consumers and enterprises to mine cryptocurrency, were the go-to methods for cyber criminals looking to make easy money. However, 2018 brought drop-offs in activity and diminishing returns, primarily due to declining cryptocurrency values and increasing adoption of cloud and mobile computing, rendering attacks less effective. For the first time since 2013, ransomware infections declined, dropping by 20%.


Symantec also notes the same security mistakes that were made on PCs during their initial adoption by the enterprise are now happening in the cloud. A single misconfigured cloud workload or storage instance could cost a company millions of dollars or land it in a compliance nightmare. In the past year alone, more than 70 million records were stolen or leaked from poorly configured S3 buckets. There are also numerous, easily-accessible tools that allow attackers to identify misconfigured cloud resources on the internet.

Internet of Things

While the volume of Internet of Things (IoT) attacks remains high and consistent with 2017 levels, the profile of IoT attacks is changing dramatically. Although routers and connected cameras make up the largest percentage of infected devices (90%), almost every IoT device has been proven vulnerable, with everything from smart light bulbs to voice assistants creating additional entry points for attackers.

Smart Phones

Smart phones could arguably be the greatest spying device ever created – a camera, a listening device and location tracker all in one that is willingly carried and used wherever its owner goes. While already targeted by nation-states for traditional spying, smart phones have also become a lucrative means by which to collect consumers’ personal information, with mobile app developers existing as the worst offenders.

According to Symantec research, 45% of the most popular Android apps and 25% of the most popular iOS apps request location tracking, 46% of popular Android apps and 24% of popular iOS apps request permission to access your device’s camera, and email addresses are shared with 44% of the top Android apps and 48% of the most popular iOS apps.

Digital tools that gather cellphone data for tracking children, friends, or lost phones are also on the rise and clearing the way for abuse to track others without consent. More than 200 apps and services offer stalkers a variety of capabilities, including basic location tracking, text harvesting, and even secret video recording.

Other Frauds

Identity theft is the biggest pain-in-the-tookus for Americans, affecting more than 500,000 per year. Unlike hacking your computer, cell phone or other devices, identity theft is usually low-tech committed by unsophisticated slime balls.

Ransomware attacks continue to plague businesses of all sizes including tiny firms, possibly costing U.S. business $100 billion this year. Healthcare firms and even religious organizations have been targeted. Students are also a prime target. While, individuals are targeted too, most hackers go where the money is.