Many organisations see outsourced payment models as the holy grail of secure payments. Surely, if your website doesn't touch personal identifiable information (PII) and cardholder data, then you shouldn't worry about your customers' details being stolen... right?
Lately, our forensic team have witnessed some alarming attacks, that bypass iFrame and redirect models.
These cases feature Man in The Middle (MITM) attacks - which intercept the payment page and replace it with their own, malicious version of the page.
Even if you believe your customers' details are safe in the hands of someone else, you shouldn't neglect your own website security.
The iFrame attack that we have seen recently works as a Man In The Middle (MITM) attack. Instead of the merchants web server telling the client to get the source of the iFrame directly from the PSP, malicious code that is injected in to the website instead requests the iFrame source code from the PSP and then modifies its code, resulting in the client receiving a modified iFrame that submits the data directly to the malicious code on the merchants web server. After the malicious iFrame is submitted by the customer, the malicious code then returns the genuine iFrame, allowing the customer to complete the transaction. Below is an example of the iframe attack: