The PayPal Payflow Pro integration in Magento is being actively targeted by carding activity, where attackers attempt hundreds of $0 transactions with stolen credit cards to check the card’s validity.
The activity currently targets versions of this Payflow Pro integration that were included in Magento 2.1.x and 2.2.x for Open Source and Commerce (on prem and cloud). Merchants on v2.3.x may also be vulnerable. The carding activity is inherent to the way Payflow Pro is integrated into shopping carts.
The issue affects the following Magento versions (on prem and cloud):
Magento Open Source v2.1.x, 2.2.x
Magento Commerce v2.1.x, 2.2.x
Protect your store
Magento recommends working with partners, developers, and hosting providers to introduce protections that can block IPs that perform fraudulent requests, DOS protection, and introduce rate limiting on specific endpoints to help reduce the number of attack attempts.
Please work with your security teams and experts to determine which tools are recommended or appropriate for use such as: fail2ban, web application firewall (WAF) configuration, or integrating with commercial anti-automation/bot detection packages.
Magento Commerce merchants are currently protected against repeated attacks through infrastructure updates, WAF rules, extensive network configurations, and additional monitoring. The Cloud teams are coordinating continuous monitoring and updates to actively handle new attacks.
PayPal support and contacts
Please contact PayPal Payflow Merchant Support to learn more about Fraud Protection Services. You can request the PayPal Support team to enableBasic Fraud Protection Servicesfilters to provide the tightest control possible over payments so that you can automatically deny payments that are likely to result in fraudulent transactions and accept payments that are not typically a problem. Please note, that once you turn on PayPal Fraud Protection Services filters, transactions can take up to 2 hours to settle.
PayPal and Magento are working closely to investigate and help resolve this situation and will provide further information when available. Please continue monitoring Magento and PayPal channels (Twitter, company blog posts, etc) for updates.