Thieves have come up with a new way to steal payment card data from online shoppers – or at least it’s new to the researcher who found it. Instead of infecting a merchant’s payment page with malware that bypasses the information, thieves make users think they have been redirected to an authorized external payment processor.
So-called payment service platforms are common in the world of e-commerce, especially for smaller sites that do not have the means to protect their servers against advanced attacks. That includes the result of hacks from so-called Magecart groups that focus on the Magento e-commerce web platform. Instead of taking the great risk of hacks stealing passwords, payment card data or other sensitive data, sites can relieve the costs of the payment card from experienced PSPs.
Jérôme Segura, head of threat information at security provider Malwarebytes, said he recently found an attack targeting sites that use this type of scheme. By infecting the vendor site and adding one or two lines of code, the attackers redirect users to a fake PSP instead of the legitimate one at the time of purchase. The list works in the same way as a phishing attack. Images that mimic real-world services, customized domain names and other sleights make end-users think they have landed on a real external processor.
Convincing replica
Enlarge / A compromised seller’s website redirects shoppers to this third-party fake processor.
Malwarebytes
“This is just a way for them (the attackers) to adapt to any payment method that an e-commerce site uses,” Segura wrote in an email. “If the seller accepts payments themselves, they (the attackers) will use the typical skimmer that searches for specific fields, and if the seller relies instead on an external payment gateway, they can use that fraudulent page designed as a phish to to collect the data. “
A compromised seller’s website redirects shoppers to this third-party fake processor. (/ Ars_img) So far, Segura has only found one copy of this list. It compromised an online store in Australia that used the PrestaShop content management system. As the image on the right shows, the fake PSP was hosted on payment-mastercard (.) Com. The comparison below shows how carefully it mimics the Commonwealth Bank of Australia, which was the authentic PSP for the online merchant. Under the hood, the fake data was harvested from the payment card so that it could be used in fraudulent transactions.
Enlarge / A side-by-side comparison shows how similar the fake processor looks like the real one.
Malwarebytes
“The scheme consists of swapping the legitimate e-banking page with the fraudulent page to collect the credit card details of the victims,” Segura said in a message published Thursday. “We also noticed that the fake page did something that we don’t always see with standard skimmers, because it checked that all fields were valid and informed the user if they weren’t.”
Once the fake PSP has collected the data, buyers are redirected to the legitimate PSP and the purchase amount is included.
Although Segura is aware of only one active attack using this method, he believes it can be a test run before the scammers start more widespread scams. He said he saw a skimmer group make dozens of domains that resemble legitimate banking institutions. He rather wondered why skimmers would take the trouble. After seeing the attack on the Australian merchant, he said he might have found the reason.
One of the few ways for users with no background in online security to detect this type of scam is to take note of the fake PSP that is redirected to the real one after the payment card details have been accepted. Someone who is really attentive will not only notice that the map data is being searched for a second time. They will also notice the difference in the domains between the two services (see the comparison next to each other above). Malwarebytes antivirus – and possibly other security programs – make detection easier by automatically marking the fake PSP. Thursday’s report also provides indicators of compromise that people can use to determine if they have been targeted.
