Ecomerce Threats

Understand and prevent real threats to your eCommerce store before it’s too late.

Subscribe

Newsletter

Formjacking Explained: When Your Contact Forms Become a Backdoor

You’ve got your checkout secured, your SSL locked in, and your site’s running smoothly. But what about your contact form? Formjacking is an often-overlooked but increasingly common attack where hackers steal customer information by hijacking any form on your website — not just payment fields. In this article, we’ll explain how formjacking works, why it’s…

A developer looking at a computer screen

You’ve got your checkout secured, your SSL locked in, and your site’s running smoothly. But what about your contact form?

Formjacking is an often-overlooked but increasingly common attack where hackers steal customer information by hijacking any form on your website — not just payment fields.

In this article, we’ll explain how formjacking works, why it’s dangerous, and what you can do to prevent it.

What Is Formjacking?

Formjacking is when attackers inject malicious JavaScript into your site that “listens in” on what people type into form fields — such as:

Contact forms

Account login or registration forms

Newsletter sign-ups

Shipping and billing information

Once the user hits “submit,” the form works normally… but a copy of the data is quietly sent to the attacker in the background.

Think of it like credit card skimming, but for everything from names and emails to passwords and phone numbers.

How It Works (Simplified)

The attacker gets code onto your site

Usually via a plugin vulnerability, theme exploit, or an infected third-party script.

They inject malicious JavaScript

Often placed on a page with a visible form, like /contact, /checkout, or /account.

They use “event listeners”

The script records input values (name, email, etc.) or intercepts the form submission.

Data is exfiltrated silently

The user gets a confirmation message, while their data is sent to the attacker’s server — sometimes encrypted to avoid detection.

Why It’s So Dangerous

  • It doesn’t break anything — so users don’t notice
  • Works on any form, not just payments
  • Can bypass traditional backend security tools (since it happens client-side)
  • Captures sensitive personal data = GDPR or PCI-DSS exposure
  • Often goes undetected for weeks or months

Even basic contact forms can be weaponised.

Real-World Examples

In 2021, attackers hijacked a feedback form on a mid-size retail site, stealing names, emails, and phone numbers of thousands of customers.

In multiple Magecart campaigns, formjacking was used alongside checkout skimming — stealing both personal and payment data in a single hit.

These aren’t just theoretical risks — this happens every day.

How to Protect Your Site from Formjacking

1. Monitor all pages with forms, not just checkout

Use real-time script monitoring tools or JavaScript integrity solutions.

2. Implement Content Security Policies (CSP)

This restricts which scripts can run and from where, blocking most injection attempts.

3. Use Subresource Integrity (SRI) for external scripts

Ensures that if a CDN or vendor is compromised, your site won’t automatically load the malicious version.

4. Avoid unnecessary third-party scripts

The more you load, the more doors you open — even marketing tools can be abused.

5. Keep plugins and themes up to date

Outdated code is the #1 entry point for formjacking.

6. Use field validation and CAPTCHA wisely

These don’t stop attackers, but they reduce bot-based form abuse and give you better form control.

Watch for the Unusual

  • Sudden form submission spikes
  • Unusual network requests in browser dev tools
  • Slow loading times on form pages (may indicate injected scripts)
  • Use browser dev tools to inspect what scripts are loaded — if you see something odd, dig deeper.

Leave a comment