Cyber News Roundup: Formjacking – The Latest Hack and How to Fight Back

Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

What’s the latest hack to steal credit card information and personal data from consumers? Formjacking. Formjacking is the latest hacking technique that cyber criminals are using by inserting a small piece of malicious code—malware—on a victim’s system that allows them to snatch customers’ credit card information, reports Alyssa Newcomb, in Forget Phishing and Ransomware. Formjacking Is the New Favorite Hack of Cyber Crooks. According to Symantec’s 2019 Internet Security Threat Report, released on Wednesday, small and medium-sized businesses are the biggest targets of formjacking although big-name brands including British Airways and Ticketmaster have also been victims of attacks. The British Airways attack alone may have netted criminals more than $17 million.

“Formjacking represents a serious threat for both businesses and consumers,” states Greg Clark, CEO of Symantec. “Consumers have no way to know if they are visiting an infected online retailer without using a comprehensive security solution, leaving their valuable personal and financial information vulnerable to potentially devastating identity theft.”

The report says that formjacking attacks are simple and lucrative. How it works is cyber criminals load malicious code onto retailers’ websites to steal shoppers’ credit card details. Each month, more than 4,800 unique websites are compromised with formjacking code. These attacks yielded tens of millions of dollars to bad actors in 2018.

Malware: be careful what you click

Malicious email—email with attachments containing malware—is also on the rise. The report states that 48 percent of malicious email attachments are office files. What happens is an email is disguised as a notification, such as an invoice or receipt. The attachment contains an office file with a malicious script. Opening the attachment executes a script, which then downloads malware. There has been a 92 percent increase in new downloader variants. Employees of small organizations were more likely to be hit by email threats—including spam, phishing, and email malware—than those in large organizations.

Where does your information go?

You’ve heard about the dark web—a subset of the deep web of the Internet that can only be reached using specific software and authorizations. On it, there are sites that sell drugs, hacking software, counterfeit money, and your personal information. But what types of personal information actually gets sold and commoditized there? The latest news reports that personal details for brands such as Amazon, Facebook, and Netflix are for sale. According to a recent article in This is Money, personal login details for some of the world’s biggest brands as well as the video game Fortnite, are available on the dark web. In addition to login information, identity documents such as credit cards, debit cards, drivers’ licenses, passport details, and bank details are also for sale, which could wreak havoc on an individual if compromised. The most coveted information is banking details, such as account information and passwords. Symantec’s research revealed that a stolen payment card can be sold on the dark web for about $45, reports Doug Olenick with SC Magazine.

Simon Migliano, head of research at Top10VPN, offers these helpful reminders for individuals to better protect their information:

  • Use unique passwords. If you’re worried about remembering dozens of complex passwords, you might want to consider a password manager that keeps all of your more detailed logins under one roof.
  • Don’t send personal details via email. Email accounts might sell for a few dollars on the dark web, but that’s actually very cheap for an account that could act as a skeleton key to your entire online life. It doesn’t take much for criminals to scour hacked email accounts for personal details and sensitive conversations that can then be used as gateways to further fraud.
  • Stop oversharing on social media. It’s also worth remembering that uploading photos of your holiday with location tags can let would-be fraudsters know that you’re not home. For extra peace of mind, you might want to lock down your social media accounts – you might not get as many friends or followers, but it means you’ll keep the scammers out too.
  • Use two-factor authentication. Two-factor authentication affords you another layer of protection against identity theft.

Cyber Oregon partner blog post of interest