Cybercriminals switched genuine third-party processing pages with fraudulent payment processing phishing pages to skim victims’ personal and credit card details. Who are the perpetrators of this new phishing scheme and what can you do to protect yourself?
New Payment Processing Phishing Scheme
Most of us have heard of phishing schemes involving emails sent purportedly from the bank requesting account details. Some of us are also aware of phone phishing schemes where cybercriminals masquerading as tax department employees demand immediate payment of nonexistent overdue tax money or they will start court proceedings.
Now a new phishing scheme has emerged involving online payment processing pages. Hackers are using these pages to steal credit card details through credit card‑skimming. Credit card skimming is a fraud where cybercriminals steal credit card information during an otherwise legitimate credit card transaction.
How Does the New Payment Processing Phishing Scheme Work?
When you buy something online, you are often redirected from a product purchase website to a secure online payment processing page to pay for the product. These secure payment pages are often operated by third‑party Payment Service Providers (PSP).
In this scam, cybercriminals switch the PSP’s genuine payment page with fraudulent ones that look identical to the genuine one. It even checks to make sure you have completed all the fields and have used valid information, warning you if this is not the case.
The fraudulent page then gathers the personal and financial information you entered and sends it to a server controlled by the attackers. The legitimate PSP’s payment site is then loaded displaying the correct total amount due for your purchase.
Who was Attacked?
This new phishing scam was revealed by researchers from Malwarebytes, an American internet security company. According to its Director of Threat Intelligence, Jérôme Segura, the phishing page looks like an official template for CommWeb, which is a payment acceptance service offered by Australia’s Commonwealth Bank.
Jérôme explains: “The attackers have crafted it [the phishing page] specifically for an Australian store running the PrestaShop Content Management System (CMS), exploiting the fact that it accepts payments via the Commonwealth Bank.”
Currently only an Australian online store seems to have been affected by this new phishing scam. However, it is likely that it will spread to other online stores, so be vigilant.
Who Are the Perpetrators?
The perpetrators appear to be a cybercriminal group that is known for using phishing templates and web skimmers. Malewarebytes researchers uncovered a newly registered malicious domain called “payment-mastercard[.]com”. This domain contains a commonly used skimmer called ga.js that loads as a fake Google Analytics library. The domain also contains the unique phish-like skimmer for imitating third-party PSP payment pages.
How Can You Protect Yourself from this Scam?
With difficulty! Since the phishing page looks identical to the authentic PSP’s payment page, you are likely to be none the wiser.
Normally one would say to look at the address bar. If the website has a lock icon or HTTPS in the address bar then you can trust the site. However, with this phishing scam, as with other similar online phishing scams that have come out in recent times, this is no longer the case. As of the first quarter of 2019, apparently 58% of phishing websites use HTTPS.
The only advice is to look in the address bar for green details at the beginning of the URL. With some URLs, the HTTPS is in green. In addition, a lock as well as the company’s name and country are added before the HTTPS, also in green. This means the website is using an Extended Validation SSL Certificate. These certificates are supposedly the most hacker proof certificates currently available and therefore you can trust these websites. However, the problem is that very few businesses use these certificates. Consequently, you will not come across such sites very often.
Your only safeguards really, are to check for spelling or grammar mistakes on the page. Hackers are notorious for making these types of errors. The other is to be aware that such schemes exist and be vigilant for anything that doesn’t look quite right. If something seems odd, ring or email the company and discuss your concerns with them before you make payment.
What should You Do if You have been Scammed?
If you have become a victim of a phishing scheme, information on this website under this link can help you. Once you have opened the page, scroll down to “What to do When you’re a Victim of a Phishing Scheme?”.