Formjackers

Abstract

We propose a novel, dynamic analysis-based detection solution for formjackers. The operating principle of these formjackers, or card skimmers on the web, is typically simple, yet effective: when making a payment on webshop that has been infected with a formjacker, the submitted payment information is not just transmitted to the webshop, but also silently to the involved malicious actor. Incidents in the past few years with large numbers of potentially affected customers, in the order of hundreds of thousands to millions, and high fines, in the order of tens of millions, have shown the urgency of addressing the issue of card skimming on the web. Currently, the state of the art in detecting formjackers is that of the cybersecurity industry, whose proprietary detection strategies appear to heavily rely on classical, static-analysis techniques. A drawback of these techniques is that they are less suited to detect new or unknown strands of formjackers. To advance the state of the art and enable a comprehensive, large-scale study of formjackers on the web, we wish to go beyond the traditional `Indicators of Compromise' approach. Instead of building on relatively shallow indicators, such as what formjacker typically look like, or which domains are commonly associated with formjacking campaigns, we propose to look at the underlying, more rudimentary behavior of formjackers, such as accessing data entered into the page. To this end, we introduce and study a detection strategy that ties into these more fundamental behavioral patterns of formjackers by applying dynamic analysis of client-side JavaScript. As an important prerequisite in dynamic analysis, we identify which conditions must be satisfied to elicit malicious behavior in formjackers. We implement two types of dynamic analysis, showing how these conditions can be met in practice. Finally, by crawling various collections of URLs we study the extent to which the proposed detection solution is suited to detect formjackers.