Novel Digital Skimming Attack Targets Retailers Using Third-Party Payment Service Platforms

A novel digital skimming attack method has been uncovered by researchers at Malwarebytes, which spoofs third-party secure payment pages used by many online retailers to process their payments combining digital skimming with phishing tactics.

When a purchase is made on a website that uses a third-party payment service platform (PSP), the customer is redirected to the PSP which is maintained by the service provider. Their payment is processed, and they are redirected back to the retail site.

This attack uses a fake PSP page that is a carbon copy of the payment processor’s web page, in this case Australia’s Commonwealth Bank. Any customer would believe that the payment page is legitimate.

Customers are required to enter their credit card number, CVV code, and expiry date, which is then harvested by the attacker. The page also checks to make sure that all fields have been entered and informs the user if any fields are missing. The data is then exfiltrated through the payment-mastercard(.)com domain that has been registered by the scammers. The user is then directed to the genuine payment page, and the amount due to be paid is already loaded into the genuine payment page.

This attack was used in a targeted attack on an Australian company that uses the PrestaShop content management system (CMS) and stated on its website that it used Commonwealth Bank to process its payments.

By inserting themselves between the retail site and the payment processer, the scammers can easily fool customers into believing they are on the genuine payment page. Since customers are already aware that they will be redirected to the third-party payment processor, they would be unlikely to think that anything untoward was happening.

This new method of attack shows how cybercriminals are becoming more creative and are maximizing their potential for obtaining credit card details.

A variety of fake payment processing domains have already been registered by scammers that target other third-party payment processors including WorldPay, and Sage Pay, most commonly using hyphenated domain names, e.g. sagepay-live and payment-sagepay.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of