Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Five E-Commerce Security Myths (Part 1)

Compromises of e-commerce websites are increasingly common. In our 2012 Global Security Report we reported that 20% of our incident response investigations related to e-commerce sites. This was up from 9% the year before. In my part of the world (Asia-Pacific), this figure is closer to 40%. In almost all of these cases the motive was simple - the theft of credit card data.

In order to better defend against e-commerce attacks, we must first understand them better. In our experience, there are three common methods for e-commerce sites to accept payment cards.

Store and download

This is the most common method for smaller merchants, especially those that have augmented their pre-existing physical store with an e-commerce outlet. These merchants already have a method of accepting payment card transactions in their store. Instead of getting a second merchant facility for their website, they download the payment card data relating to new orders from their server and manually enter this into their existing facility. As a result of this, payment card data has to be stored somewhere, usually on their web server.

Third-party gateway via API

Larger merchants tend to favour this option, as it gives them a seamless customer experience and enables them to authorise payment cards at the time of purchase. The customer submits their payment card data to the merchant's website during the checkout process. The merchant's website then passes this directly onto a third-party for authorisation. Using this method there is no reason for payment card data to be stored on the merchant's server nor is there any need for a customer to be redirected away from the merchant's website.

Hosted or direct third-party gateway

The goal of hosted and direct payment models is to ensure that the merchant's web server never sees payment card data. In a hosted model, the customer is redirected to a third-party during the check out process. This third party then presents the customer with a form to enter their card data into, processes this transaction and redirects the customer back to the merchant site.

A direct payment model is very similar, except that the credit card form is actually hosted on the merchant's website, but when the customer submits this form the data is sent directly to the third-party instead of back to the merchant.

All of these methods are susceptible to attack in certain circumstances. In general we see three different styles of attack:

  1. Stored data - As the names suggests, an attacker simply locates and copies stored payment card data. This is very common for "store and download" merchants, but also happens to API merchants that are storing payment card data inadvertently.
  2. In-transit - In a well-implemented merchant environment using an API payment model, there will not be any stored payment card data. As a result, an attacker needs to intercept data at the time that a transaction is made. Attackers commonly do this by saving a copy of every request sent to the payment gateway to a file that they can then download, or having a copy of each transaction e-mailed to them.
  3. Bait and switch - Whilst hosted and direct payment models dramatically reduce the risk of compromise for most smaller merchants, they do not completely eradicate the possibility of a compromise. By changing the destination that a customer is redirected to or the location that payment card data is sent to, the attacker can inject themselves into the transaction flow and capture payment card data.
    For example, an attacker could modify a merchant's website to direct their customers to instead of The attackers can make the website of look identical to and even send a copy of the data captured by to so the merchant still receives payment for their order. We've worked on cases where this has occurred and where it has gone unnoticed for several months.

This blog post has given you an introduction into how most merchants accept payments and how most bad guys steal this data. In part 2 I'll delve into the misconceptions about e-commerce security that we hear every day.

Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More