Hackers abuse Magento PayPal integration to test validity of stolen credit cards

April 5, 2019
Magento PayPal

Hacker groups and online fraudsters are mishandling a component of Magento online shops to test the validity of stolen debit and credit card numbers. The transactions are executed against Magento stores that support the PayPal Payflow Pro integration. The PayPal Payflow Pro integration is a payment option available on Magento shops that enables an online store to process card transactions by means of a PayPal merchant (business) account. Numerous stores use it since it enables them to get payments through PayPal utilizing a checkout form embedded on their sites and without users leaving the store to enter details on the PayPal portal.


Abuse of vulnerability

As indicated by a security advisory issued by the Magento team and seen by ZDNet, hackers are abusing the PayPal Payflow Pro integration included into Magento 2.1.x and 2.2.x, however 2.3.x versions may likewise be vulnerable, though proof of abuse has not seen as of yet. Law breakers aren’t utilizing the stolen cards to place orders for real products, however just merely initiating a $0-sized transaction and see if it returns any errors – and indirectly confirm that the card details are legitimate.

It is believed that hackers are buying these cards from so-called “carding forums” – underground cybercrime forums where hackers and ATM skimming groups are putting credit card details up for sale. Huge numbers of these “credit card dumps” frequently contain details for old and expired payment cards, and buyers frequently need an approach to validate the details of recently obtained card dumps before using them in fraudulent operations at banks or online stores, or for creating card clones.

The Magento team said that the two versions of the Magento CMS are vulnerable – self-hosted open source version, and the on-premise or cloud-based commercial Magento offerings.


Securing online stores is a requirement

The Magento team is currently suggesting that shop owners to investigate and put up a web application firewall (WAF) or other anti-brute-force or Credit Card fraud detection and prevention or  bot detection systems in place to protect stores against such abuse, fraud. Store owners may feel that they’re not expose to losing any money, as hackers are merely testing some payment card details, but the reality is not so.

The Magento team cautions store owners that PayPal may suspend their accounts after repeated automated operations. They recommend that store owners reach out to PayPal and inquire about additional anti-fraud security measures they can roll out for their PayPal Business accounts.

About the author

Leave a Reply