Hackers target third-party payment processing page to phish victims

The malicious actors would switch the genuine payment processing page with a fraudulent one.

The scam appears to be the brainchild of a cybercriminal group skilled in using phishing templates and web skimmers.

A card-skimming scheme involving a retailer’s third-party payment service platform (PSP) was revealed by researchers from the security firm Malwarebytes. Here, hackers created a phishing page to swap it with the genuine PSP processing page.

What happened?

Many e-commerce websites outsource their financial transactions to a secure page operated by payment service providers (PSPs).

In this scam, researchers of Malwarebytes uncovered a fraud where the malicious actors would switch the genuine payment processing page with a fraudulent one.

Personal and financial data of authentic customers visiting the phishing page was being exfiltrated to an attacker-controlled server.

The skimmer-phishing page, reportedly, was a copy of a legit CommWeb payment processing page from CommonwealthBank in Australia.

The researchers came across a newly registered malicious domain, “payment-mastercard[.]com,” that contained a skimmer like this one, as well as the more unique one that imitates the PSP.

How it works?

Jerome Segura, Director of Threat Intelligence at Malwarebytes, noted that the page was hand-crafted specifically for an Australian store that runs the PrestaShop Content Management System (CMS) and uses the Commonwealth Bank platform to accept payments.

An unaware user enters credentials on the phishing page. If a user fails to enter full or valid information, the phishing page will notify the same to the user.

After a victim’s data is entered and exfiltrated, the user will be redirected to a legit payment site for Commonwealth Bank, displaying the correct amount purchased.

“This is done by creating a unique session ID and reading browser cookies,” Segura explains in the blog post.

“By blending phishing and skimming together, threat actors developed a devious scheme, as unaware shoppers will leak their credentials to the fraudsters without thinking twice,” Segura states.

Who is behind this?

Malwarebytes researchers suggested that the scam appears to be the brainchild of a cybercriminal group skilled in using phishing templates and web skimmers, including a skimmer called ga.js, which’s loaded as a fake Google Analytics library.

“Externalizing payments shifts the burden and risk to the payment company such that even if a merchant site were hacked, online shoppers would be redirected to a different site (i.e. Paypal, MasterCard, Visa gateways) where they could enter their payment details securely,” Segura concludes. “Unfortunately, fraudsters are becoming incredibly creative in order to defeat those security defenses. By combining phishing-like techniques and inserting themselves in the middle, they can fool everyone.”