Magecart formjacking attacks against online retailers see a sharp spike in September

• Formjacking involves cybercriminals using malicious JavaScript code to steal payment card details from retailers’ checkout webpages.
• The Magecart group has been active since 2015 and has recently been targeting e-commerce sites.

Formjacking attacks have recently dramatically risen over the past month. The recent Magecart malware attacks that targeted Ticketmaster, Feedify, British Airways and Newegg are indicative of how this attack technique is now increasingly targeting online retailers.

Formjacking involves cybercriminals using malicious JavaScript code to steal payment card details from retailers’ checkout webpages. Although formjacking is not a new attack technique, since August, formjacking attacks have seen a remarkable increase.

Symantec researchers detected nearly 250,000 formjacking attempts since mid-August. Sophisticated cybercriminal gangs like Magecart and its recent attacks are indicative of these attacks. Security expert Kevin Beaumont took to Twitter to announce that the number of domains associated with Magecart has grown to over 1,000.

Symantec researchers found that at least 800 e-commerce sites were hit by the Magecart campaign. The Magecart group has been targeting third-party companies that are used by online retailers to manage website support and other services. Experts fear that if Magecart attackers can compromise one popular third-party supplier, the group could also potentially infect thousands of sites simultaneously.

“If we compare the week of September 13 to 20 to the same week in August, the number of instances of formjacking blocked by Symantec more than doubled, jumping from just over 41,000 to almost 88,500—a percentage increase of 117 percent,” Symantec researchers said in a blog. “Since August 13, we have blocked an average of 6,368 formjacking attempts every day.”