I can’t provide specific details about your Magento setup, but I’ve occasionally heard about this issue from merchants using various payment processors, particularly on older versions of Magento. We’ve also had some merchants experience success after switching to a different payment processor. It may be worth checking out the Adobe Payment Services setup. The integration uses a different type of setup with PayPal than the Payflow integration which may help with mitigating the script, especially if it is sidestepping the Magento flow entirely. 

Based on your Magento version, the highest version of Payment Services available would be 1.6.0/1.6.1. 

Harrison 

hloveall@adobe.com 

This issue indicates that bots are targeting your Magento site to test stolen or fake credit card numbers by exploiting the PayPal PayFlow integration. Since these transactions don’t appear in Magento but show in PayPal Manager, the attack is happening at the payment gateway level. Here’s how you can address this issue:

1. Strengthen CAPTCHA Implementation

Ensure CAPTCHA is enabled at all sensitive entry points, including:

• Login pages
• Checkout forms (guest and logged-in users)
• Payment gateways
  Use Google reCAPTCHA v3, as it provides invisible, behavior-based bot detection and is more robust than v2.

2. Implement PayPal Fraud Protection

Enable PayPal’s fraud management filters (FMP) in your PayPal PayFlow account. Specific filters you should enable or configure:

• Amount Limits: Reject $0 or extremely low-value transactions.
• Address Verification (AVS): Block transactions missing a billing address or with mismatched address details.
• Velocity Filters: Limit the number of transactions allowed from the same card, email, or IP within a set timeframe.
• Email Validation: Block disposable or suspicious email domains (e.g., random strings before @gmail.com).

3. Use Magento's Built-in Fraud Protection

Enable Magento's built-in fraud protection tools:

• Min/Max Order Amounts: Set a minimum order amount greater than $0.
• IP Whitelisting or Blocking: Use extensions or server configurations to block access from specific IPs or suspicious ranges, even if they rotate.

4. Add Server-Side Validation

Add backend validation to block $0 transactions in your payment processing scripts. For example:

• Reject transactions with amounts below a certain threshold.
• Ensure billing address fields are mandatory.

5. Monitor and Block Malicious IPs

• Use security tools like Cloudflare or a Web Application Firewall (WAF) to monitor and block suspicious traffic.
• Enable Rate Limiting to limit requests from a single IP.

6. Review Webhook Configurations

Ensure that your PayPal webhooks are correctly set up and validate transactions at the Magento level. If transactions aren’t validated or created in Magento, it suggests bots are bypassing your site’s transaction flow entirely.

7. Email and DNS Validation

• Implement email validation to reject addresses that don’t resolve.
• Use a DNS blocklist to prevent requests from known bot or malicious IP ranges.

8. Contact PayPal Support

Reach out to PayPal support and report this as a card testing attack. They can assist in configuring your account with advanced fraud detection settings and additional security layers.

9. Consider Third-Party Anti-Fraud Solutions

Invest in a third-party fraud protection solution like:

• Sift
• Signifyd
• NoFraud
  These integrate with Magento to provide real-time fraud detection.

When I encountered a similar issue for a client’s site, I had to configure advanced fraud prevention tools to address the problem effectively. I paid for some additional security features and implemented backend validation to stop the $0 transactions. You can see how I approach secure development practices on a site.

By combining Magento’s built-in security features, PayPal’s fraud tools, and external security measures, you can significantly reduce or prevent these attacks. Let me know if you need help configuring any of these!