It started with a simple online purchase.
Thousands of Ticketmaster customers in the UK entered their credit card details to buy event tickets. The page loaded perfectly, the transaction completed smoothly, and confirmation emails arrived on time. Everything seemed normal.
Weeks later, reports began to surface. Customers were finding unauthorized charges, stolen card numbers, and personal data circulating on the dark web. The breach did not come from a massive database attack or a server failure. It began with a few lines of malicious code quietly inserted into the website’s checkout form.
This is formjacking, a type of cyberattack so subtle that users rarely notice it and so effective that even global brands have fallen victim to it. In 2025, attackers are moving away from traditional network breaches and shifting toward the client side, the place where users interact with websites through their browsers. Formjacking has become a serious and often invisible threat that many organizations still underestimate. This new wave of client-side attacks highlights the urgent need for more proactive and adaptive security measures.
What Is Formjacking?
Formjacking is a sophisticated type of cyberattack that targets the very forms where users input sensitive information on websites. Instead of attacking servers or databases directly, attackers inject malicious JavaScript code into a website’s front-end, often on payment or login pages. This code operates silently in the background, capturing data such as usernames, passwords, credit card numbers, and other personally identifiable information as soon as it is entered.
From the perspective of the user, the website appears to function normally. Pages load correctly, forms submit successfully, and confirmation messages appear without interruption. There is no visible sign that their data has been intercepted.
The mechanics of a formjacking attack are deceptively simple yet highly effective. First, the attacker gains access to a website or a third-party script that the site relies on, and injects the malicious code. When a visitor fills out a form, the script records the input and transmits it to an external server controlled by the attacker. Finally, the stolen data is exploited for financial fraud, identity theft, or sold on the dark web.
Because these attacks operate entirely in the user’s browser, they often bypass traditional security tools that focus on network or server-level protection, making real-time detection and prevention a significant challenge for organizations.
A Historical Perspective: Formjacking in 2018
Formjacking is not a new threat. In 2018, attackers were able to compromise thousands of websites each month, injecting malicious scripts to steal sensitive payment information from e-commerce shoppers. Among the most notable targets were major brands like British Airways and Ticketmaster, but smaller online retailers were also heavily affected, showing that even mid-sized businesses were vulnerable through their third-party service providers.
During these attacks, malicious code would silently collect user information, including credit card numbers, names, and mailing addresses, as soon as customers submitted payment forms. Stolen data was then used for fraudulent purchases or sold on underground marketplaces, generating significant revenue for attackers. Security firms reported hundreds of thousands of attacks each month, with activity peaking during major shopping events such as Black Friday, Cyber Monday, and China’s Singles’ Day and Double 12.
Analysis of affected sites revealed a broad spectrum of victims. Retailers ranged from small niche stores to large online chains, including fashion outlets in Australia, outdoor equipment suppliers in France, fitness services in Italy, and specialty e-commerce shops worldwide. These incidents highlighted a key risk: attackers often exploited vulnerabilities in smaller suppliers or third-party vendors to gain access to larger organizations, a tactic known as a supply chain attack.
Financially, the impact was substantial. Estimates suggest that cybercriminals generated millions of dollars annually by selling stolen credit card information, with each card yielding tens of dollars on underground markets. These historical cases underscore that Formjacking is one of the most efficient methods for stealing sensitive consumer information and that vigilance in website security is essential to prevent large-scale data theft.
Why Formjacking Attacks Are Rising in 2025?
Formjacking (e-skimming or Magecart attacks) injects malicious JavaScript into website forms to steal payment data. In H1 2025, thousands of e-commerce domains were impacted, with infection rates remaining near late-2024 highs (roughly 3x higher than 2023 levels) despite a slight decline from the peak. This surge follows a 103% increase in infections during the first half of 2024. Here’s why:
- Stealthier Techniques: Obfuscated code hides in obscure HTML/CSS elements (e.g., : before properties) or chained Google Tag Manager (GTM) containers, evading CSP via WebSockets for real-time exfiltration. GTM is abused on sites averaging 23 third-party scripts.
- Supply Chain Exploits: Third-party tools like WooCommerce plugins and GTM are prime targets. Spillover from 2024’s CosmicSting (CVE-2024-34102) tripled early-2025 breaches; over 4,000 Adobe Commerce stores were compromised. More than 2 million sites have been compromised globally since 2015.
- Client-Side Pivot: Server defenses improved, shifting focus to browsers (low-cost and hard to monitor). Kits like “Sniffer by Fleras” (active from 2024) enable easy mobile/PWA hijacks.
- Lucrative & Accessible: Stolen cards fuel dark web sales; formjacking causes ~3/4 of web breaches, half in retail. PCI DSS 4.0 (effective March 2025) adds script controls but hasn’t curbed actors.
- E-Commerce Focus: Multiple groups targeted retail; expansions to WordPress from Magento. Examples include Cisco (2024) via unpatched CVE-2024-34102.
How Formjacking Attacks Work
A formjacking attack is a type of cyberattack where malicious actors inject malicious code into a website’s forms, such as payment or login forms, to steal sensitive information entered by users. The process typically involves the following steps:
Main Attack Flow
- Exploit Vulnerability
Attackers first scan the target website for security weaknesses, such as flaws in third-party scripts (e.g., chat tools or ad plugins) or injection points in the site’s code (like XSS vulnerabilities). Once identified, they gain stealthy access without triggering alarms. This step serves as the entry point, akin to unlocking an unsecured door.
- Install Malicious Script
Leveraging the vulnerability, attackers inject a JavaScript code snippet into the website’s form pages. This script “hijacks” form input events, such as monitoring keystrokes for credit card numbers or passwords. The script is typically loaded dynamically (e.g., via AJAX requests) to keep the site’s appearance unchanged, leaving users oblivious.
- Obfuscate the Script
To evade detection by security tools (like firewalls or antivirus software), attackers obfuscate the malicious script. This involves techniques such as encryption, variable renaming, or code compression, making it resemble harmless legitimate code. This extends the script’s lifespan and delays removal.
- Skim End User Data
As users normally fill out and submit the form, the malicious script captures the data in real-time (e.g., names, addresses, credit card details). The information is bundled and transmitted via covert channels (like POST requests) to a server controlled by the attacker. Users complete their actions seamlessly, unaware that their data has been duplicated and exfiltrated.
- Sell End User Data on Dark Web
Attackers package and sell the stolen data on dark web marketplaces or use it for their own scams. Prices vary based on data quality (e.g., full credit card info fetches higher value), leading to consequences like identity theft and financial losses for victims.
Branching Path: Reuse End User Data to Breach Other Systems
From Step 4 (skimming data), attackers can branch out by using stolen credentials (e.g., usernames/passwords) for “credential stuffing” attacks to log into other sites or services (like banks or email accounts). This creates a chain reaction, expanding the breach’s scope and potentially triggering alerts.
Why Formjacking Is So Difficult to Detect?
Formjacking is a highly stealthy cyberattack, injecting malicious JavaScript into website forms to siphon sensitive data (e.g., credit card details) without disrupting the user experience. It thrives in the shadows of legitimate sites, evading users, admins, and tools alike. Below is a streamlined breakdown of detection challenges, organized by stakeholder.
1. For the End User: The Illusion of Normalcy
Seamless Experience
Everything looks authentic. The URL is correct, the padlock icon confirms HTTPS encryption, and the checkout process completes without errors or delays. Users receive confirmation emails as expected, giving no reason to suspect anything went wrong.
Undisturbed Transactions
The injected script does not interrupt the legitimate transaction. It simply duplicates the entered data, such as card details, names, and billing addresses, and sends a hidden copy to the attacker. Victims often remain unaware until they later notice unauthorized charges on their credit card statements.
2. For Website Administrators and Security Teams: A Multifaceted Challenge
The Third-Party Supply Chain Vector
Modern websites rely on dozens of third-party scripts, from analytics and chat tools to payment processors and advertising libraries. This interconnected structure creates fertile ground for attackers. By compromising just one trusted vendor, threat groups such as Magecart can silently distribute malicious code across thousands of websites at once. Monitoring every script’s behavior in real time is nearly impossible, leaving many organizations unknowingly exposed.
Stealthy and Evasive Malicious Code
- Obfuscation: Attackers disguise their scripts through obfuscation and minification, turning readable code into what looks like random text. This easily bypasses signature-based scanners.
- Dynamic Loading: Instead of embedding malicious code directly, attackers load it dynamically from external sources. These scripts may activate only under certain conditions, such as on checkout pages or for visitors from specific countries, making them even harder to detect. Techniques such as MutationObserver or delayed execution through setTimeout further conceal their presence during manual or automated scans.
Minimal and Camouflaged Data Exfiltration
- Tiny Footprint: Each theft involves only a few hundred bytes of data, blending perfectly with normal traffic.
- Disguised Exfiltration: Stolen data is hidden inside requests that appear harmless, such as a one-pixel image or an analytics call. Attackers often use reputable cloud services such as AWS or Google Cloud or compromised legitimate domains as their drop points, and they encrypt the stolen data to evade inspection.
Ephemeral and Targeted Attacks
Malicious code can be programmed to be “low-and-slow,” activating only for 1 in every 1,000 visitors or only targeting users from specific countries. This intermittent behavior drastically reduces the chance of being spotted during log analysis or security testing.
Server-Side Transparency
Formjacking is a client-side attack. Because the data is stolen from the user’s browser before it is securely submitted to the website, the website’s backend servers see no anomalous activity. From the server’s logs, it’s a legitimate, successful transaction. This creates a critical blind spot.
3. For Automated Security Tools: Built-In Blind Spots
Limitations of WAFs
Web Application Firewalls focus on blocking inbound threats such as SQL injection or cross-site scripting. They are not designed to detect outbound data theft from the user’s browser, which creates a significant blind spot.
Static Scanning Gaps
Periodic malware scans often fail to detect dynamically loaded scripts that activate only under specific conditions or for certain users.
Lack of Real-Time Client-Side Visibility
Traditional security tools monitor server infrastructure but do not observe what happens inside the browser. Without real-time behavioral analysis of front-end activity, formjacking often remains invisible until after the damage has been done.
GeeTest’s Practical Defense Against Formjacking
GeeTest does not prevent Formjacking by directly scanning for or removing malicious skimmer code. Instead, it employs a more sophisticated strategy: it changes the fundamental rules of the form submission process to render the stolen data either useless or extremely difficult to leverage successfully.
Here’s a breakdown of the core mechanisms GeeTest uses to achieve this.
1. Dynamic Tokenization: Making Stolen Data “Obsolete”
This is the most critical defense mechanism.
- The Problem with Traditional Forms: In a standard login or payment form, the user’s credentials (username, password, credit card number) are static. Once stolen by a skimmer, an attacker can reuse them directly.
- GeeTest’s Solution: The GeeTest verification process (e.g., slide unlock, puzzle captcha) generates a dynamic, one-time-use
tokenupon successful completion. This token serves as cryptographic proof to the website’s backend that the request originated from a genuine, verified user session. - How This Prevents Formjacking:
- When the user submits the form, the front-end must include this valid GeeTest
token. - The website’s server validates this
tokenwith GeeTest’s server to ensure it is legitimate and hasn’t been used before. - The Key Point: Even if a Formjacking skimmer successfully steals the user’s raw input data (like a password), it cannot capture this dynamic
tokenbecause it is generated by GeeTest’s system in response to the user’s specific verification action. - Without a valid, fresh
token, any authentication or payment request made by the attacker with the stolen credentials will be rejected by the website server. The stolen password becomes a worthless piece of data on its own.
- When the user submits the form, the front-end must include this valid GeeTest
2. Behavioral Biometrics and Risk Sensing: Detecting “Non-Human” Submissions
A GeeTest captcha is not just a puzzle; it’s a behavioral analysis engine.
- Data Collection: During the interaction (sliding, clicking, etc.), GeeTest collects hundreds of behavioral telemetry data points. These include mouse movement trajectory, click precision, acceleration, dwell time, and device fingerprinting information.
- Risk Analysis: GeeTest’s backend AI engine analyzes this data in real-time to determine if the interaction is from a legitimate human or an automated script/bot.
- How This Prevents Formjacking:
- If an attacker attempts to reuse stolen credentials using an automated script, their interaction patterns during the GeeTest challenge will likely be flagged as “non-human” or “high-risk” by the AI.
- GeeTest can then return a “verification failed” or “high-risk” signal to the website server. The server can then block the request, require additional authentication, or flag it for manual review.
Since Formjacking often relies on tampering with third-party scripts, GeeTest is designed with security measures to protect its own integrity.
- Mandatory HTTPS: All communications are encrypted via HTTPS, preventing man-in-the-middle attacks and data eavesdropping.
- Code Obfuscation and Anti-Debugging: The client-side JavaScript is heavily obfuscated, minified, and may include anti-debugging logic. This makes it significantly harder for attackers to reverse-engineer the code or directly manipulate the GeeTest widget itself.
3. Defensive Scenario Simulation
Imagine a website’s login page, integrated with GeeTest, has been compromised by a Formjacking skimmer.
- The Attack: A hacker has injected a skimmer via a compromised third-party script.
- User Action: A legitimate user enters their
Username: aliceandPassword: 123456and successfully completes the GeeTest slide puzzle. - Skimmer Theft: The skimmer successfully steals
Username: aliceandPassword: 123456. - GeeTest in Action: Simultaneously, GeeTest generates a one-time
token: geetest_8a6f5d4c7..., which is submitted with the form to the website server. - Attacker’s Failed Attempt: The attacker, using the stolen
alice / 123456, tries to log in from their own location.- They are immediately presented with a GeeTest challenge.
- Even if they use a cheap captcha-solving service to pass it and get a new token, the token they use is different from the one stolen earlier (which is now expired).
- More importantly, their automated behavior or connection from a suspicious IP/device may be flagged by GeeTest’s risk engine.
- The website server, upon receiving the login request, first validates the GeeTest token. Without a valid token, the request is rejected outright. Even with a valid token, a high-risk score can lead to denial.
Conclusion
Formjacking represents a new generation of cyberattacks that exploit the weakest link in web security, the client side. It operates silently within trusted websites, turning ordinary user interactions into opportunities for data theft. As digital commerce expands and organizations depend on complex supply chains, the risk of client-side data exposure continues to grow.
Defending against this evolving threat requires more than basic patches or reactive detection. It calls for solutions that reshape the way users and websites interact, ensuring that even when malicious scripts infiltrate a page, the stolen information becomes useless to attackers.
GeeTest provides exactly this kind of proactive protection. Through dynamic tokens, real-time behavior analysis, and secure code mechanisms, GeeTest builds a layered defense that neutralizes formjacking attempts before data is compromised. It helps businesses safeguard customer trust, protect sensitive information, and strengthen the integrity of every digital transaction.
Protect your users before invisible attackers can act.
Discover how GeeTest can help your organization build a safer, human-verified web experience. Learn more about GeeTest CAPTCHA →
