Cybersecurity Insights

Benjamin Hosack

Website Re-Direct Payments... Secure or Not?

06/05/15 13:59

A great deal has been discussed about the security benefits of using a hosted payment page - or a re-direct payment page - and it is the recommended approach from the industry leaders to small-to-medium sized businesses looking for a secure way to transact online.

PCI DSS Compliant Hosted Payment Page is Secure…BUT

The industry is correct - it is certainly the most effective option to reduce risk from your payment channel as the small/medium sized online business is essentially handing over the transaction process to their secure payment service provider (who should be PCI DSS compliant). 

BUT it certainly does not mean that the small/medium sized business is actually safe and secure.  Let's illustrate.

A website is like a giant funnel for the online business - with the big, wide open end being the home page and the pointy end being the transaction point - i.e. the conversion of a prospective customer into a paying customer.  The whole website is designed to engage with potential clients and convince them to make the purchase.  The actual purchase is the last step in the process and forms a very important, but very small part of the overall sales process.  

Implementing a secure hosted payment page (or re-direct payment page) does not mean that the rest of the website is secure, or that the website’s customer data is secure.  This is a misunderstanding that has significant ramifications for a growing number of online businesses.  

What could go wrong?  My payments are secure and that’s what counts!

Well, lots can go wrong actually.  An insecure website can be compromised and used for any of the following:

  • Malware distribution - ie malware to infect the website’s customers.
  • To serve pages from criminal websites - pornography, child pornography, weapons, drugs. You name it.
  • A launch pad for attacks on other businesses.
  • To steal the website clients data - including credit card info.
  • And lots more...

Malware distribution, bad links and being used to launch attacks on other businesses can lead to blacklisting by the search engines at the very least - think of the effort that has gone into getting the website operating well, the investment in SEO etc. Well, with a blacklisting, all of that investment and hard work counts for nothing as the website is now deemed a dangerous website and the search engines will highlight it as such in their results. Website traffic will drop off almost completely and the business will come to an immediate stop.  

Of all the data that can be stolen from the website, the credit card data is the most easily monetised by the criminals and is therefore their priority.  So, with that in mind, let’s focus on the payment data.  This website has a secure hosted payment page, so how is the credit card data getting stolen?

A recent forensic case supported by our team involved a very successful online business with a hosted payment page from a well-known UK payment processor.  The website owner was contacted by her bank and informed that her website was showing up as a Common Point of Purchase (CPP) and was the likely point at which a LOT of card data had been stolen.  She carried out an initial review of her website with her developers and identified some unusual code in the website, which none of them had created or had any knowledge of.

What had happened?

Relying on the secure hosted payment page, this online business focused on growing their business assuming they were secure.  Their website was built on a well known e-commerce platform which could be enhanced using plugins from other developers. Her team identified an interesting plugin that provided various functionality to increase conversion rates and installed it.  Unfortunately for them, while the plugin did have some basic benefits, it actually contained a Web Shell

Once the plugin was installed, the attacker accessed the website via the Web Shell and stole the admin credentials to the website - the attacker now had the keys to the website and could do whatever he/she wanted.  

The changes made were clever - they identified the IP addresses that the website developers accessed the website from as well as the IP addresses of the business and then implemented code to ensure that traffic from those IP addresses would see the original payment process that the website developers had designed.

Anyone else would be taken through the same process with 2 additional steps inserted - a payment page earlier in the checkout process and a second page that gave notice that the payment had failed and that they would now be directed to a secure hosted payment page with the well-known UK payment processor.

This code ran very successfully for what we believe was a couple of months - unfortunately, the website developers - under the assumption that their website was secure with the hosted payment page did not have any log data or any system to alert them that changes were being made on their website, so the best data that we had to estimate the length of the compromise was to use the transaction data.

Here is a video illustration of how it worked.

This is not an isolated case - we have seen a handful of similar cases in the last 12 months.


A handful is not a lot - what's the fuss about?

Well, the industry is changing - currently most of the credit card theft occurs in the US, with card present businesses (mostly retailers/restaurants) being targeted because of the ease of stealing high value cardholder data from the integrated point of sale systems that are prevalent in the region. However, they are rolling EMV out rapidly in the US to combat this issue - and this is going to push the fraudsters online (a simple Google search for "EMV fraud migration" will give you a lot of info/statistical analysis to back this hypothesis up).  They are going to have to get smarter in the ways that they steal data from online businesses and we expect to see increasingly clever attacks such as the one illustrated above.

How does a website defend against these criminals?

Its actually very easy to protect a website from this kind of attack - these are the steps we would recommend:

  • Place a tamper-proof seal on your website to alert you to any changes being made on the website. If you see changes and they are yours, that’s fine.  If you see changes and they are not yours, you need to act quickly as it is likely an attacker.
  • Check for Malware/Web Shells daily.
  • Collect and analyse your log data daily.
  • Check your website for unprotected credit card data - if an attacker is collecting data, they usually store it somewhere on the website for later collection/exfiltration. 
  • Use a hosted payment page (unless you are confident that your business has excellent, security-savvy developers - which is rare).

While this may sound like a lot to do - there are technologies that can automate much of this for you. 

Foregenix has as a solution called FGX-Web to provide this level of security alerting for websites - and includes all of the above functionality. 

A cup of coffee for the security of your online business?

For the cost of a cup of coffee per month, a website could have the level of security analysis and alerting that would enable them to focus on growing their online business with the knowledge that they have a secure payment process and appropriate security on their website to alert them to any nefarious activity.  Fully automated.

You can find out more at

In summary…. Using a hosted payment page is the most secure transaction process available for online businesses, but only when implemented with a secure website.

Tags: Web Security