The thieves devised a new way to steal payment card data from online shoppers – or at least the researchers who found it. Instead of infecting the merchant’s registration page with malware that blocks information, thieves convince users that they have been redirected to third-party payment processors.
Perceived payment service platforms are common in the e-commerce world, especially for small sites that do not have the resources to strengthen their servers against sophisticated attacks. This includes a hacking rash coming from magenta groups that target Magento e-commerce platforms. Instead of hackers taking great risks of stealing passwords, taking payment card details or other sensitive data, sites can unload payment card fees for an experienced PSP.
Jerome Segura, the head of intelligence at Malwarebytes Security, said he recently found sites attacking using this type of system. By hitting a merchant site and adding one or two codes, attackers redirect users to a fake PSP rather than legitimate users at the time of purchase. The trick works similar to a phishing attack. Graphics, custom-made domain names, and other user group manual tricks that mimic real services fool them into thinking that they came in an actual third-party processor.
Segura wrote in an email, “This is a way for them to pay [attackers], whatever the e-commerce site uses.” “If the merchant takes the payment themselves, [the attackers] will use specific filters searching for specific fields. If the merchant relies on an external payment gateway instead, that fraud is designed to collect data such as phishing Can publish the page. ”
The threatened merchant’s site redirects shoppers to this fake third-party wizard. [/ ars_img] So far, Segura has found only one example of this hoax. This has led to the threat of an online store in Australia using the PrestaShop content management system. As the image in the right show, a fake PSP was held at MasterCard Pay . com.
A downward comparison indicates that Australia’s Commonwealth Bank, which was the online merchant’s original PSP, is absolutely correct. However, under the hood, counterfeiters cut payment card data, so that it could be used for fraudulent transactions.
“The scheme includes replacing a valid e-banking services page with a fake page to collect victims’ credit card details,” Segura explained in a post published on Thursday.
Once a fake PSP collects data, it redirects buyers to a valid PSP and includes the purchase amount.
While Segura finds that there is only one active attack with this method, it is assumed that the scammer is a test run before starting a more widespread scam. He said he noticed that there are dozens of areas in a set of detectors that resemble legal banking institutions. He first wondered why the scrapers were angry. After witnessing the attack on the Australian businessman, he said he could find a reason for it.
Some methods for users with a background in online security to detect this type of fraud is a fake PSP note to redirect to the real account after accepting payment card data. The one who really pays attention will not only notice that the card data is searched a second time. They will also see differences in areas between the two services (see comparison above). Malwarebytes antivirus – and possibly other security software – makes it easy to detect by automatically placing a fake PSP tag. Thursday’s post also provides clues to an agreement people can use to determine if they are being targeted.
So I am a scam scientist who works with a major credit card issuer. For me this is an excellent reason as we are working hard for the 3DS standard, which has recently become mandatory for European e-commerce transactions. 3DS is a multi-factor authentication protocol, in which we get some high-risk transactions (check SIM swap in case of SMS OTP and check device data) as well as other details on how the transaction is presented (eg IP address) Will need to be collected.
Unfortunately, it can be painful for a merchant to obtain such a correct setting, and credit card consumers often complain of friction in payments. We will always participate in cat and mouse games with con artists who constantly innovate (and often have nation-state resources behind them). It is a well-designed attack and has something to focus on.