Sage Advice - Cybersecurity Blog

Formjacking is on the Rise – A Look at the Top Cyber Threats

crytojacking-on-the-riseCybercriminals are driven by opportunity and go where the money is. As soon as the good guys figure out how to stop them, they’ve already figured out their next move. So, it’s no wonder that the cyber threat environment is constantly changing, and exploits continue to evolve and shift.

Situational Risk Awareness — being aware of the risks posed in any given situation — is one of the best ways to be prepared to defend your organization against these evolving threats. To provide us with insight on the latest cyberattack trends, Symantec analyzes data from their Global Intelligence Network and regularly publishes their findings in The Internet Security Threat Report.  Let’s explore a few of the top cyber threats from their most recent report, published in February 2019.


Formjacking is the theft of credit card information and other personal details from a retailer’s website. Using javascript code, criminals are able to take the information right from the payment forms at checkout. This type of attack rose to prominence in 2018 with over 4800 websites compromised every month. According to Symantec, “With data from a single credit card being sold for up to $45 on underground markets, just 10 credit cards stolen from compromised websites could result in a yield of up to $2.2 million for cyber criminals each month.”

The increase in formjacking attacks has been linked to Magecart, a group or groups of threat actors known for carrying out this type of attack. In 2018 Magecart was linked to many high-profile attacks, including Tickmaster and British Airways, and reportedly tens of millions of dollars were stolen. Their success was in large part due to infecting the source-code of third-party e-commerce software development services, which allowed them to inject their malicious code onto hundreds of targeted websites with a single attack. Because why only target one website when you can target a vendor and hit hundreds of sites in one shot?


Cryptojacking is the surreptitious “mining” or “minting” of virtual currencies using compromised hardware. It rose to fame in 2018 to overtake Ransomware as the cyberattack of choice. In 2018 Symantec, “blocked more than four times as many cryptojacking events as in 2017 — almost 69 million cryptojacking events in the 12-month period, compared to just over 16 million in 2017.”

Activity is in decline however, as cryptocurrency values have dropped significantly, especially in the last months of 2018. Just recently, Coinhive, a cryptomining service announced it will discontinue its services on March 8, 2019 because of declining returns. According to Brian Krebs, “[Coinhive] has been heavily abused to force hacked Web sites to mine virtual currency.”

Even though prevalence of cryptojacking appears to be tied to cryptocurrency values, the threat is worth keeping on our radar.


Ransomware takes over your computer, threatens harm, usually by denying access to your data, and demands a ransom. After reaching amazing heights in 2017, ransomware activity declined in 2018 for the first time since 2013. But even though overall ransomware infections were down, enterprise infections were up by 12 percent according to Symantec.

Following the trend of mass-infection though, ransomware attacks are beginning to target managed service providers (MSPs), so they can infect all of their clients at once.  According to BleepingComputer, “Recent reports indicate that multiple MSPs have been hacked recently, which has led to hundreds, if not thousands, of clients being infected with the GandCrab Ransomware.”

If you’re using an MSP, be sure that your integration software is up-to-date and secure, and that they aren’t using a generic account to administer your environment. It’s your responsibility to ensure they have the same level of security controls as you have!

And for some good news: A free decryptor for GandCrab Ransomware was recently released and includes tools for versions 1, 4, 5, and 5.04 – 5.1. It can be found at the No More Ransom Project website, which is a collaboration between Europol, the Dutch National Police, Kaspersky Lab, and McAfee.

Living off the Land (LotL) Attacks

LotL tactics involve using trusted off-the-shelf and pre-installed system tools to carry out an attack. They allow attacks to hide their malicious activity in with legitimate processes. Fileless malware is an example of a LotL techniques, which operates by using legitimate programs, typically PowerShell, for malicious purposes.

According to the Symantec report, “PowerShell usage is now a staple of both cybercrime and targeted attacks — reflected by a massive 1,000 percent increase in malicious PowerShell scripts blocked in 2018 on the endpoint.”

The expanding use of LotL techniques poses a challenge for organizations because they are very difficult to identify and block. Advanced detection methods, like behavioral analysis and threat hunting, are often required to find these attacks arriving through trusted channels, using legitimate tools for malicious purposes.

To learn more download Symantec’s 2019 Internet Security Threat Report here.

Penetration Testing Guide Banner CTA

Topics: Malware, Risk Management

The Tyler Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

Cybersecurity Lifecycle

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More