How to hack the hackers: the hands-on case

An online marketplace is a type of e-commerce website where multiple third parties provide product or service information. Such platforms actively operate with online payments and payouts. This format creates a lot of opportunities for fraud schemes. I’ve witnessed such a case and decided to sort out how it works.

What happened?

A few weeks ago, I placed an ad on the local marketplace. The item was in good condition, so I was selling it at the average price. I received the first message in half an hour and started quite a regular conversation with the potential buyer. But the buyer chose another messenger, not the one on the marketplace.

After a small discussion of the order details, the deal was about to be closed. Then I received a link which I should use to receive the money. The site was very similar to the marketplace: the same design, my ad, and the structure. There was a card form I needed to fill in, but it had one extra field – Card Balance. I filled in all the information and received a 3D Secure notification from my bank. The situation became quite clear.

My actions

Firstly, I decided to receive their IP address. I tweaked the HTML where I faked a validation error and made a screenshot of the page. Then I launched a local webserver with a script for collecting client data. I published the screenshot with the help of ngrok. After that, I hid the ngrok link using bit.ly and sent it to the buyer. While doing that, the buyer started to rush me, continuing the attempts to withdraw funds.

Secondly, I’ve saved all available information about this site and decided to figure out all the technical details. I found out where their domain and host are registered and contacted the administrators using the Whois service. Both domain registrar and host provider replied quite swiftly and blocked the site. Also, from the front-end part, I got the source code and found out how it works.

In fact, it was a ruthless spaghetti code, which was written very quickly. The code was written using the old syntax for old browsers, without any babel. It included a lot of VARs, and the classes were implemented in the old way, using the function CpgWaiter (settings) { ... }.

Thirdly, with the help of the email address the fraudster used to register the domain, I found all information about the owner, his accounts on different forums and social media.

Analysing the site with the card form, I noticed many links to the actual marketplace site, but all of them had the attribute rel="noopener noreferrer”, so the admins can’t see where the user came from. The main output — if you use links out of the platform, admins won’t be able to help in such a situation.

Noticed an interesting line in the code, a kind of tip, for future script users:

<form onsubmit="waiter.submit(this); return false;">
<!-- there must be a button with the type submit -->
<input type="submit" />
</form>

How to improve payment security as a consumer:

• Set up the card limit for online payments. This simple feature prevents charging amounts of upper limit from the card balance and notifies the cardholder about that.
• Set up 3D secure. Activate the 3DS notifications and do not approve them if it is not you trying to make a payment.
• Pay attention to the payment page. Do not fill in your card information on unfamiliar sites. If the site or payment form looks suspicious, the best way is to double-check.

How to improve payment security as the marketplace:

• Upgrade notification system. Notification is a helpful tool to let the user know what is happening. Sellers need to undergo this verification procedure once. They enter the card information only once, and after the process is complete, they see the notification in their account on the platform.
• Prevent cybersquatting. Technical security services need to monitor new domains that are similar to their real ones. The process aims at the determination of who registered the domain and what for.
• Add information about payment security. Many users do not have enough information about payment security and online payment procedure. Several articles covering these topics should increase users’ awareness and prevent fraud cases.

Such fraud schemes can be used on any platform because any service payment page can be faked. And it will be challenging to find out the truth. Admins of marketplaces can’t affect any actions which are held outside the platform. The banks are also helpless, for they see only payment data and no other information. If the 3D Secure option was not available, the only way out was to request a chargeback.