Skip to Content
Security & privacy

A scary new cyber threat lurking on websites you trust

The cyber-world just keeps getting darker and scarier, with a new danger seemingly popping up every week. The latest is called “formjacking.”

Just like it sounds, malicious actors can swipe data you’re putting into a seemingly innocent online form, such as a job application or even a government form. Hackers can take your information and steal your identity or sell it on the Dark Web.

We’ll tell you how formjacking works and why it is so dangerous. There is also at least one way you can protect yourself from this latest scam.

Legitimate sites infected

When you’re filling out that job application, you probably assume that it is a secure site. But if we’ve learned anything over the years, it’s that when it comes to cybersecurity, nothing is a sure thing.

Formjacking occurs when bad actors attach a malicious code onto a seemingly secure https website. The malicious code then begins to steal information that is being input into a form. Consider it a digital form of credit card skimming.

Worse, consumers often don’t know until it is too late that their information has been stolen.


Related: FBI issues a chilling ransomware warning as cyberattacks grow nationwide


Unfortunately, formjacking is growing. A new report by Symantec finds that in the first six months of 2019, U.S. users were hit with 52% of all global formjacking attacks, compared to 33% in 2018.

The report further states that websites compromised by this form of attack generally stay infected for 46 days. Publicly reported formjacking attacks have taken place on websites such as Ticketmaster, British Airways and more.

In order to curb formjacking, companies must continuously assess the security of their application code, as well as the code that vendors use on their websites. Unfortunately, there is not much a consumer can do to fight back on his or her own.

One way consumers can fight back

What makes formjacking difficult for companies and consumers to catch is that there is no sure way to tell if a website has been compromised. Anti-virus detection catches only a few instances of formjacking.

Perhaps the best way to ensure a company’s cybersecurity is to use its mobile app rather than the desktop version. Overall, a bank or commercial company’s mobile apps are considered more secure because the information is encrypted, while desktop websites often work with third parties — the weak link in the security chain.

While apps aren’t completely immune to being compromised, there are fewer incidents of so-called “appjacking.”

A growing global problem

The U.S. is by far the largest victim of formjacking, at 52%. Way down in second place is Australia at 8% and India at 5.7 %.

While a website can be infected an average of 46 days, there was one case that lasted 15 months; however, Symantic said many other sites had the infected code removed within days.


Related: Hackers sharing clever new ransomware tools


In its report, Symantic states that the number of domains infected with formjacking scripts dropped toward the end of last year. The company warns that this does not mean the problem is going away; instead, targeted companies not directly hosting the contaminated script are loading the remote content from another domain.

This means one infected domain can serve multiple compromised online stores. On average, Symantic detected 5,233 domains per month that pointed to infected formjacking sites.

Komando Community background

Join the Komando Community

Get even more know-how in the Komando Community! Here, you can enjoy The Kim Komando Show on your schedule, read Kim's eBooks for free, ask your tech questions in the Forum — and so much more.

Try it for 30 days