In April 2019, PayPal Payflow Pro is suddenly under a massive attack from scammers. The badis that Magento 2 stores are one of their main targets.
Bothand have released urgent security updates on how to deal with this situation. We decided it’s a good idea to spread the word as far as possible and alert Magento store owners who might be affected by the attack.
Table of Content
Why Is Payflow Pro Under Attack?
PayPal Payflow Pro, formerly Verisign payment gateway, is a long-term PayPal acquisition. The companythe gateway in 2005 for $370 million when eBay allied with VeriSign, a once-leading provider of online payment security services.
This “strategic alliance” as it was called in the official October 2005 press release, created a strong technical background for the growing PayPal market influence. It allowed PayPal to consolidate both financial and technical features under their own infrastructure and built foundations for new growth in the following decade.
The main difference between Payflow Pro and other PayPal payment methods is that Payflow Pro allows customers to stay on the website during the checkout process. In contrast to most other methods, Payflow Pro will complete all operations inside the Magento store to provide a seamless buyer experience to all customers.
In addition to seamless integration, Payflow Pro offers various integration scenarios to Magento developers, too. Unfortunately, this max flexibility mindset of Payflow Pro is also its weak spot.
This spring Magento 2.x stores became a huge target to scammers specializing in carding activities. Hackers discovered an easy way to test whether their stolen cards are valid using Payflow Pro’s vulnerability to charge CCs with $0 amounts.
You see, stolen cards are a hot product. Once a card is stolen, it will be active for only a very short time before it gets blocked either by a suspicious card owner or their bank. So in order to strip the card of its assets, hackers need a safe way to test if the card is still available for online spending.
The best way to do that is to use charities that allow extremely low donation amounts. Charities are the easiest targets online because they often don’t have adequate security funding, want to capture even the smallest donations, and have virtually no consequences for fraudulent payments.
Hackers use them as the go-to places to mass-test cards for validity. But the cheapest way to test a card is of course to make $0 payments. This is why hackers all over the world jumped at the opportunity to use Payflow Pro’s vulnerability.
What Are the Consequences for Magento Store Owners?
PayPal will usually apply two main sanctions to Merchants whose accounts show hundreds of fraudulent charges:
- PayPal will suspend Merchant accounts that have become compromised by carding activities. There have already been cases where PayPal Business accounts are frozen indefinitely until their owners fixed security holes. Losing the ability to receive payments is a huge blow if your business depends on PayPal for the majority of its transactions.
- PayPal will fine accounts that neglect adequate fraud protection. Most payment processors set an extremely low threshold of fraudulent transactions allowed in their payments systems. Once you hit the first limit, your account can be investigated, then suspended, then fined or terminated, depending on the gravity of the situation.
Which Magento Versions Are Affected?
Most on-premise and cloud versions of Magento 2.x are vulnerable to this security hole. Here’s the full list:
- Magento Open Source v2.1.x, 2.2.x, 2.3.x
- Magento Commerce v2.1.x, 2.2.x, 2.3.x
- Magento Commerce Cloud v2.1.x, 2.2.x, 2.3.x
Please note! The latest Magento update (to versions 2.3.1, 2.2.8, and 2.1.14) does not fix PayPal Payflow Pro vulnerability. You’ll have to install it separately to patch your store.
How to Check if Your Store Has Been Attacked
Carding can go unnoticed if you don’t review your transactions regularly. Go toto access the Transactions Summary on the Reports tab. Run Report to see results for a specific timeframe.
Analyze transactions for a selected period and make sure there are no suspicious charges. Every business has common patterns in transactional behavior. Compare different periods to make sure your store has not become the target of scammers. Anything out of the ordinary should be a reason for a thorough investigation.
How to Fix. Option 1: Enable reCAPTCHA for Payflow Pro
There are two distinct ways to deal with the problem. We recommend that you use both to ensure maximum security.
The first one involves Magento module magento/module-paypal-recaptcha that installs Google reCAPTCHA for all Payflow Pro transactions. It’s a relatively simple solution that will not inconvenience your customers.
In order to install the module, you’ll need to use the following commands for Magento Commerce:
composer require magento/module-paypal-recaptcha bin/magento module:enable Magento_PaypalReCaptcha bin/magento setup:upgrade bin/magento cache:clean
Alternatively, you can use native Magento CAPTCHA for PayPal:
composer require magento/module-paypal-captcha bin/magento module:enable Magento_PaypalCaptcha bin/magento setup:upgrade bin/magento cache:clean
Magento team recommends that you use invisible Google reCAPTCHA v2 as it’s more robust against a dedicated attacker and doesn’t disrupt the checkout process. Customize the module foror according to the instructions.
If you want to try both CAPTCHAs and see which one you like most, you can combine the installation instructions:
composer require magento/module-paypal-recaptcha composer require magento/module-paypal-captcha bin/magento module:enable Magento_PaypalReCaptcha Magento_PaypalCaptcha bin/magento setup:upgrade bin/magento cache:clean
New options are now available for PayPal in the checkout configuration section:
- Use in PayPal PayflowPro payment form (for Google reCAPTCHA module),
- CAPTCHA: Payflow Pro (for Magento native CAPTCHA module).
If you’ve enabled Google reCAPTCHA, you will enjoy the hidden protection of invisible Google bot detection algorithms. The main advantage – most users will never see reCAPTCHA on your Checkout. It only activates if the user acts suspiciously or shows signs of scripted behavior.
How to Fix. Option 2: Enable Basic Payflow Fraud Protection Services
PayPal has been working with e-commerce for a very long time and has created its own tools to counter carding attempts. The second fix involves going into PayPal Manager settings and enabling smart filters that will block attackers from using your store.
How to enable fraud filters:
- Go to and navigate to Service Settings > Fraud Protection > Test Setup.
- You need to Edit Standard Filters to enable a more scrupulous review of all incoming transactions. Set the behavior to Reject if you want to automatically decline all suspicious charges. Set to Review to postpone all suspicious charges until a human reviews them and manually approves or declines the transaction.
- Deploy your changes.
- Go to Service Settings tab once again and click Test Setup one more time. This time choose Deploy Test Setup Filters to Live Setup, then click Move Test Filter Settings to Live.
- Now Deploy to Active Mode to allow PayPal to resolve all triggered transactions. It might take up to 1 hour to take effect, so be patient.
Read more about separate filters and how they work.
Implement both fixes to offer the best protection for your business and avoid huge fines from PayPal. Magento has become an extremely popular e-commerce platform to hope to sit this one out.
Don’t put your business at risk.ASAP. If you need help, we can offer fast technical support for Magento stores of any complexity – including upgrades, , and custom fixes for third-party extensions. Contact us if you’d like to learn more.