Online Shoppers Beware: Payment Card Data Stolen Through Fake PSP Sites

Hackers have a new way to trick online shoppers and steal their payment card information, according to a security researcher. This latest method is different from the usual schemes that thieves are using. This time, instead of infecting the checkout page of the online seller with malware that steals data, thieves deceive users into thinking that they have been redirected to an authorized third-party payment processing system.

This deceitful payment service platforms are usual in the eCommerce world, especially on smaller websites that have limited resources to reinforce their servers against highly sophisticated attacks. This includes the attacks launched by Magecart groups that eye the Magento eCommerce online platform. Instead of assuming the risks of attacks that steal passwords, sensitive data, and payment card details, sites designate payment card processing to experienced PSPs.

Malwarebytes Head of Threat Intelligence Jerome Segura recently shared that he has found an attack that targets websites that utilize this kind of arrangement. Aside from infecting the merchant site, the attack also adds one or two codes to redirect users to a fake PSP instead of the legitimate one during the time of purchase. The mode of operation works similarly to a phishing attack with graphics mimicking custom created domains, real services, and several other tricks to deceive online buyers.

This is the way attackers use to adjust whatever mode of payment an eCommerce site utilizes, Segura explained in an email sent to Ars Technica. If the merchant gets the payments themselves, thieves will utilize the usual skimmer that finds specific fields. Should the merchant depend on an external payment gateway, attackers can release the fraudulent page intended to collect or phish data, Segura added.

When a merchant website is compromised, it redirects online shoppers to a fake third-party processor. So far, Malwarebytes has discovered only one incident of this latest ruse. An online store in Australia that utilized the PrestaShop content management system was the victim of this ruse. The attackers used a fake PSP that was hosted at payment-mastercard.com

Given the dramatic spike of online merchants and the convenience of online shopping, attackers are getting creative in devising ways to launch attacks and steal data from online users.