Cryptojacking and formjacking - rising threats
Ifran Esmail | Managing Consultant, TELUS
Co-authored by: Joaquin Puga del Rio | Security Consultant II, TELUS
It seems as though there’s always a new information security issue and each time, a similar story follows: unsuspecting people are victimized by others who use technology (and its flaws) to their advantage. The stories are hard to keep up with and often don’t clearly articulate how the issues affect us individually. They introduce fear and uncertainty with respect to our ability to safely navigate the digital world.
Two of the latest cyber threats to appear in the news include cryptojacking and formjacking. Forbes magazine reported in 2018 that cryptojacking is now more prevalent than ransomware.
Cryptojacking is a term used to describe a situation where malware has been installed on your device. This malware then silently puts your device to work which entails completing computational tasks in exchange for digital currency, thereby generating money for the cybercriminals behind the malware.
Formjacking is a term used to describe an attack where information you submit in an online form (credit card and other personal information) is intercepted between your device and the website you are using. Your information is then gathered and used to make a profit. For instance, your data could be sold and/or used to make purchases without your authorization. Symantec reports that roughly 4,800 websites are infected with formjacking malware every month.
Tips and guidance
Realistically, the specific names of each security issue are not as important. What’s critical, is knowing how to protect yourself against these and other threats.
Below are some key principles to adhere to, to help ensure your security:
- Ensure you keep all of your internet-connected devices up to date. This includes operating systems, software, browsers, mobile apps and more.
- Don’t click or install anything that looks suspicious or sounds too good to be true.
- Be cautious of any messages you receive (be it via text, email, WhatsApp, Facebook, LinkedIn or on any other platform), especially if the sender asks you to take action like clicking on a link. If something seems suspicious, confirm the message by using alternate means like a phone call (be sure that you’re calling the right place by searching for a contact phone number online or on an official statement/letterhead; don’t use the contact information provided within the message).
- Don’t get pressured into taking action like sending money, personal information, running/installing a program, going to a website - even if the message states that there will be consequences for inaction.
- Always carefully check the sender information of a message. Don’t assume that a message from a name which looks familiar is actually legitimate.
- Ensure websites you visit are trusted; try to use major retailers when shopping online.
- Always ask questions and trust your instincts. If you are concerned about something, ask someone you trust to validate your concerns.
- Enable multifactor authentication whenever possible. If a malicious party steals your credentials, the secondary log-in step and verification process will prevent them from being able to use your credentials maliciously.
- Use a password manager. This will allow you to use a unique, strong password for each of your online accounts.