by John E Dunn
An unspecified weakness in some versions of the Magento e-commerce platform is reportedly being misused by carding criminals to surreptitiously test the validity of stolen, leaked or skimmed credit and debit cards.
That’s according to news site ZDNet, which said it had seen an advisory from Magento which, frustratingly, doesn’t appear to have been made public yet – or mentioned in Magento’s sizeable list of security fixes released on 26 March. If you’re running Magento, I suggest you head over to the patch list and update anyway, as there are some fairly serious bugs in there.
A problem for criminals purchasing stolen credit card details from dark web dumping grounds is that they don’t know which ones are old or deactivated and which are still open to fraud.
Chances are, most won’t work but anything that helps them quickly sift the gold from the mud without drawing attention to themselves is incredibly useful.
The technique they’ve hit upon is by submitting large numbers of zero dollar ($0) transactions through Magento sites integrated with PayPal’s Payflow Pro card payment system.
PayPal can be integrated into eCommerce sites in several ways, one of which – Payflow Pro – offers the advantage that the customer is never distracted by having to leave the merchant’s website.
As PayPal explains:
PayPal is only running on the back end to process the payment. The customer never goes to the PayPal website and they only receive an order receipt from you, not one from PayPal.
A legitimate feature abused by fraudsters
This ability to channel queries through e-commerce sites without having to authenticate via PayPal might be what is attractive to criminals – from PayPal’s perspective, transactions will appear to come from the merchant.
If that’s what’s …
Author: John E Dunn