Hackers misuse the integration of Magento PayPal to test the validity of stolen credit cards

Magento cms hack paypal

Attacks were reported to target online stores running versions of Magento 2.1.x and 2.2.x. Online fraudsters and hackers abuse the Magento online shops feature to test the validity of the debit and credit card numbers stolen.

The technique consisted of attackers trying to check the card for hundreds of $0 transactions using stolen payment cards. The transactions are carried out against Magento stores supporting the integration of PayPal Payflow Pro. The integration of PayPal Payflow Pro is a payment option for Magento shops which enables an online shop to process card transactions through a merchant’s account in PayPal.

Many shops use it because it allows them to pay via PayPal via a checkout form embedded in their websites without users having to leave the shop to enter details on the PayPal portal. According to a security advisory published by the team Magento and hacker’s abuse Magento 2.1.x and 2.2.x integration with PayPal Payflow Pro to test the validity of stolen cards.

Crooks don’t use stolen cards to place real goods orders, but simply start a $0 transaction and see if any errors are returned-and indirectly confirm that the card data are valid. Hackers are believed to buy these cards from so-called “carding forums,” which are underground cybercrime fora, where hackers and ATM groups sell card details.

Many of these “card dumps” contain often information about old and expired payment cards, and buyers often have a way of validating details of newly acquired card dumps prior to their use in fraudulent transactions at banks or online stores or to create card clones.

The Magento team has stated that both Magento CMS versions are vulnerable–the self-hosted open source release, and the on-site or cloud-based commercial Magento products. Magento versions 2.3.x may also be vulnerable, but the team at Magento has not yet seen any evidence of abuse.

Magento’s team now advocates shop owners to build a web application firewall (WAF) or other anti-brute detection systems for protecting stores from such abuse. Store owners may think they won’t lose any money, as hackers just test some details of the payment card, but the reality isn’t that.

The Magento team warns shop owners that after repeated automated operations, PayPal can suspend their accounts. They recommend that shop owners reach PayPal and inquire about additional measures against fraud that they can implement for their PayPal Business accounts.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.