The attack specifically targeted the iFrame of a UK Payment Service Provider (PSP). Ecommerce businesses have been advised to implement hosted payment pages from their payment service provider or utilise a redirect payment via iFrame. In doing so, they are considered more secure than alternatives, warranting a reduced PCI DSS validation questionnaire.
The problem is that an insecure website can have payment data compromised, regardless of whether they use a hosted payment page or an iFrame redirected payment page.
The code behind the attack was very specific to the targeted website and required a degree of previous research and reconnaissance in order to establish database credentials, which were coded into the malware.
At the point that a user elects to proceed to the checkout pages’ details of their order, including total price and the websites ID are submitted to the Payment Service Provider in order that a transaction identifier can be generated and the Payment Service Provider can anticipate a request from the websites customer for an iFrame.
With the increase of iFrames being used by website, security experts expect to see attacks of this nature increase, especially if payment processors provide minimal validation of the requests to their servers.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now