Form-grabbing malware silently infects thousands of computers daily, often without the user noticing it. If you are not paying attention, this kind of malware can snatch your sensitive data and grant access to your computer to other malicious hackers, who can use it to spam you or steal more of your information.

What Is Form-Grabbing Malware?

Also known as form grabbers, malware like these are tailored to capture web form data, like usernames, passwords, and other private information, from a browser page.

Unlike keyloggers, form grabbers can acquire the user's data and credentials even if they've been inputted by pasting, autofill, or using a virtual keyboard. The information gathered is then stored and transmitted to a specific server afterward.

Illustration of someone stealing login information

Form grabbing is the most common way browser credentials are acquired, although keyloggers are still used to steal the administrator's data. These form grabbers are mostly used to steal information when the user is interacting with a banking website. The data is obtained from forms, meaning important data can be easily identified and extracted before they are sent over the internet to a secure server.

History of Form Grabbing

Though it began in 2003, Form grabbing wasn't recognized as a major malware attack until Zeus came along in 2007. The malware was embedded in various emails that were sent to numerous people. Those who received the emails erroneously thought they were from reputable banking firms. In 2011, Zeus' source code was released to the public, allowing different versions of the Trojan to be created.

Although the original Zeus code has been retired, it has birthed nastier form-grabbing malware that still plagues the internet today. One of those is SpyEye. Using code from its predecessor Zeus, SpyEye targets your web browser. It records keystrokes, stealing your credentials and authorizations while you're logged into a banking portal.

person being scammed by criminal via laptop

SpyEye is almost untraceable and unnoticeable, capable of initiating transactions, siphoning funds, and sending them to its creator. And like other form grabbers, it can sneak into your computer through links from unsecured websites and in spam emails.

How Does Form-Grabbing Malware Work?

The key to successful form grabbing is inserting the malware between the browser and the networking stack. This allows it to intercept the data before it becomes encrypted.

First, a Browser Helper Object (BHO) is installed in the browser. This allows the malware to look out for calls to the HttpSendRequest function. The HttpSendRequest function is responsible for establishing a connection to the internet and sending the HTTP Request to a specified site.

The malware may input Dynamic Link Library files (DLL) into the browser every time it launches. The malware also changes the HTTP functions, reconfiguring them to allow requests to be sent to the Trojan code before going on to the stack.

How to Protect Yourself from Form-Grabbing Malware

One of the most effective methods that work against form grabbers is the installation of antivirus signatures. Also, restricting user rights to prevent the download of BHOs is another tactic to prevent Trojans from inserting themselves into your system.

Install Antivirus Protection

Text reading "antivirus"

Antivirus works by scanning traffic going through the internet and into your computer. It searches for known threats and flags suspicious interactions, looking to block malware from inserting themselves and ejecting Trojans as soon as possible.

If a computer system doesn't possess any form of antivirus protection, then it is open to attack from all kinds of malware that can remain undetected for a long time. However, for an antivirus to be effective against form grabbers, it has to be constantly updated for protection against the latest forms of malware that might not have been present when the antivirus program was first installed.

Some programs force you to manually check all systems, making it easy for malware to escape undetected in a remote part of your computer. Most times, even when the Trojan malware is detected, these forms of antivirus software put them in a quarantine zone and wait for the user to log on and delete it themselves.

But others perform automatic scans on all systems, detecting malware instantly and deleting them. These are the most efficient against form grabbers.

Avoid Unencrypted Connections

Computers passing encrypted traffic

You should avoid filling out forms on unencrypted sites. Websites with the HTTPS Protocol are the most secure, not allowing any form grabbing or keylogging. HTTPS uses complex encryption to secure data exchange.

It is the more secure form of HTTP and is also used to send data between a website and a web browser. HTTP websites are flagged by popular web browsers such as Google Chrome and marked as non-secure, with the user getting a warning about the insecurity of the site. A padlock symbol is usually in the URL bar to show that a website is secure and uses HTTPS Protocol.

Also, note that HTTPS is the same protocol as HTTP. The only difference is that the former is built on Transport Layer Security (TLS) which, apart from encrypting the connection between web applications and their servers, also secures emails and messaging.

More so, websites using HTTP have their data transmitted in plain text, making them easily readable by malicious elements. Even if there is malware in your computer, once the website being accessed is running on the HTTPS Protocol, the malware will receive encrypted data that it cannot read or decode.

Use a URL Blacklist

To ensure that the website you're on is secure, make sure it isn't blacklisted. A way to confirm this is with Google Transparency Report. Enter the URL of the website in the search bar of the page. If the website pops up, it is confirmed to spread malware through plug-ins and downloads. Completely avoiding these blacklisted websites will reduce the chances of malware getting into your computer.

Screenshot of Google Transparency Report website

Set Up Web Firewalls

Also, you can add these blacklisted websites to a firewall, ensuring you don't accidentally connect to them when browsing the internet. Sadly, there are a lot of unsecured pages with harmful redirects that lead to these blacklisted sites. A web firewall will block these redirects while protecting sensitive data from form grabbers.

Can You Completely Prevent Form-Grabbing?

Form-grabbing malware may be commonplace, but there are steps to take to prevent your data from being stolen. Ensure extensions and plug-ins are only downloaded from trusted sources. You can also protect your computer by creating a list of harmful websites and servers and adding them to a blacklist for a firewall.

Furthermore, antivirus programs are the best bet as they automatically scan for malware and delete them instantly. Completely avoid sites not using the HTTPS Protocol, as form-grabbing Trojans can find their way into your computer from these places.