Is your e-commerce site being used to test stolen card data?

An unspecified weakness in some versions of the Magento e-commerce platform is reportedly being misused by carding criminals to surreptitiously test the validity of stolen, leaked or skimmed credit and debit cards.

That’s according to news site ZDNet, which said it had seen an advisory from Magento which, frustratingly, doesn’t appear to have been made public yet – or mentioned in Magento’s sizeable list of security fixes released on 26 March. If you’re running Magento, I suggest you head over to the patch list and update anyway, as there are some fairly serious bugs in there.

A problem for criminals purchasing stolen credit card details from dark web dumping grounds is that they don’t know which ones are old or deactivated and which are still open to fraud.

Chances are, most won’t work but anything that helps them quickly sift the gold from the mud without drawing attention to themselves is incredibly useful.

The technique they’ve hit upon is by submitting large numbers of zero dollar ($0) transactions through Magento sites integrated with PayPal’s Payflow Pro card payment system.

PayPal can be integrated into eCommerce sites in several ways, one of which – Payflow Pro – offers the advantage that the customer is never distracted by having to leave the merchant’s website.

As PayPal explains:

PayPal is only running on the back end to process the payment. The customer never goes to the PayPal website and they only receive an order receipt from you, not one from PayPal.

A legitimate feature abused by fraudsters

This ability to channel queries through e-commerce sites without having to authenticate via PayPal might be what is attractive to criminals – from PayPal’s perspective, transactions will appear to come from the merchant.

If that’s what’s going on, this is simply a technique to obscure lots of otherwise suspicious transaction requests behind a legitimate front.

In theory, neither the merchant or PayPal should lose money directly. It’s a way to cheekily check card validity to enable fraud elsewhere.

On that basis, the hazard for merchants running Magento is that PayPal may eventually notice the strange transactions and suspend their accounts.

Why PayPal and not another platform? Sending zero dollar transactions is a legitimate feature that merchants can use to verify cardholder data without asking for money. Some platforms charge a tiny amount for this facility so if PayPal doesn’t then presumably it’s easier for any abuse of the system to pass undetected by merchants.

What to do?

Vulnerable versions are 2.1.x and 2.2.x, including both cloud and self-hosted. It’s not clear whether version 2.3 is affected but, writes ZDNet…

…the Magento team has not seen any evidence of abuse against these types of sites, as of yet.

Is there any way to detect whether a site has been affected? Until the issue is more clearly explained, it’s impossible to say with certainty – although it’s possible that large numbers of unusual transactions might generate unexpected PHP error messages that would show up in Magento logs.

There was a time when securing an e-commerce site using a third-party security tool would have been viewed as cautious. Given the rising number of attacks on e-commerce sites in the last year, perhaps it’s time to reassess this way of thinking.