The PayPal Payflow Pro integration in Magento is being actively targeted by carding activity, where attackers attempt hundreds of $0 transactions with stolen credit cards to check the card’s validity.
The activity currently targets versions of this Payflow Pro integration that were included in Magento 2.1.x and 2.2.x for Open Source and Commerce (on prem and cloud). Merchants on v2.3.x may also be vulnerable. The carding activity is inherent to the way Payflow Pro is integrated into shopping carts.
For the latest updates and information, see the Magento KB PayPal Payflow Pro active card fraud attacks.
Affected Magento merchants
The issue affects the following Magento versions (on prem and cloud):
- Magento Open Source v2.1.x, 2.2.x
- Magento Commerce v2.1.x, 2.2.x
Protect your store
Magento recommends working with partners, developers, and hosting providers to introduce protections that can block IPs that perform fraudulent requests, DOS protection, and introduce rate limiting on specific endpoints to help reduce the number of attack attempts.
Please work with your security teams and experts to determine which tools are recommended or appropriate for use such as: fail2ban, web application firewall (WAF) configuration, or integrating with commercial anti-automation/bot detection packages.
Magento Commerce merchants are currently protected against repeated attacks through infrastructure updates, WAF rules, extensive network configurations, and additional monitoring. The Cloud teams are coordinating continuous monitoring and updates to actively handle new attacks.
PayPal support and contacts
Please contact PayPal Payflow Merchant Support to learn more about Fraud Protection Services. You can request the PayPal Support team to enable Basic Fraud Protection Services filters to provide the tightest control possible over payments so that you can automatically deny payments that are likely to result in fraudulent transactions and accept payments that are not typically a problem. Please note, that once you turn on PayPal Fraud Protection Services filters, transactions can take up to 2 hours to settle.
For additional information, see PayPal’s KB “Magento has contacted me about my Payflow Pro integration. What do I need to do?”.
PayPal Payflow Merchant Support Details
Payflow Merchant Support’s business hours are Monday through Friday from 7:00am-8:00pm CST. You can contact Payflow Merchant Support for account assistance by phone or email:
PayPal and Magento are working closely to investigate and help resolve this situation and will provide further information when available. Please continue monitoring Magento and PayPal channels (Twitter, company blog posts, etc) for updates.