Global security firm Sucuri has uncovered a new phishing technique which plants malicious code on authentic e-commerce checkout pages and payment modules.

Phishing attacks online have typically taken the form of either site hijacking to infect a payment platform and log users’ credit card details, or site imitation where fake modules collect login and payment details. Now, the Sucuri team suggests in a blog post that attackers have devised a new way to combine these traditional phishing tactics, creating a technique which is virtually undetectable to the consumer and even to security solutions.

Screen Shot 2016-07-20 at 11.19.30

Fake PayPal on cwcargo[.]com

Sucuri presents a situation in which criminals have used a malicious JavaScript code injected into an established e-retail site to redirect users to a fake checkout page on another domain. This page is designed to be an exact copy of the original checkout page, but the user’s credentials will be logged directly onto the attackers’ server.

The security researchers have discovered the new technique across a number online stores which run WordPress WooCommerce and Prestashop.

As well as checkout page phishing, Sucuri detected payment modules, such as PayPal’s, hosted on criminal servers. While this attack had only been seen on a few sites, it is expected to be present across a large number of online portals as it is extremely hard to flag.

Sucuri’s Denis Sinegubko, commented in the blog post that the attacks are particularly successful as the consumer tends to feel safe once at this stage of the shopping process, after logging in, setting up order details and spending so much time on the actual site.

‘Since victims are already in shopping mode and ready to enter their credit card number anyway, this phishing attempt may be more successful than classical tricks that distract victims from their tasks and ask to do something else instead. As a result, your credit card details will be stolen and the e-commerce site owner will lose the sale,’ he said.