Scammers try a new way to steal online shoppers’ payment-card data

Enlarge (credit: Daniel Foster / Flickr)

Thieves have devised a new way to steal payment-card data from online shoppers—or at least it's new to the researcher who found it. Rather than infecting a merchant's checkout page with malware that skims the information, the thieves trick users into thinking they've been redirected to an authorized third-party payment processor.

So-called payment-service platforms are common in the world of ecommerce, particularly for smaller sites that don't have the resources to harden their servers against sophisticated attacks. That includes the rash of hacks coming from so-called Magecart groups that target the Magento ecommerce Web platform. Rather than assuming the considerable risk of hacks that steal passwords, payment card details, or other sensitive data, sites can offload the payment card charges to experienced PSPs.

Jérôme Segura, head of threat intelligence at security provider Malwarebytes, said he recently found an attack that targets sites that use this type of arrangement. By infecting the merchant site and adding a line or two of code, the attackers redirect users to a fake PSP rather than the legitimate one, at the time of purchase. The ruse works similarly to a phishing attack. Graphics that mimic real services, custom-created domain names, and other sleights of hand trick end users into thinking they've landed on a genuine third-party processor.

Read 6 remaining paragraphs | Comments

via Biz & IT – Ars Technica https://ift.tt/37sG8gX