IFUP - online payment hijacking/spoofing proof of concept

In 2013, I found that online payments are easily hijackables. I created a POC : ICUP, (for I Cross U'r Payment). ICUP is a little .NET program that is injected into Internet Explorer for manipulate the DOM. ICUP could get products name, prices etc, and forge a custom payment page that seems legit. This poc is still online here : ICUP POC on Youtube.

IFUP : How I F*** U'r Payments

Today, I'me here to present you a POC for Chrome/Firefox, a plugin named IFUP. This POC does the same thing as ICUP, but on a real e-shop. Here is the demo of IFUP :

If you look the two payments pages (0:45 and 1:20), you could see that they are identicals. The forged page is even better, because we can see the name of the product we are buying. So, all seems legit. Recentyl, Sucuri has published a note in wich they said that a malicious person has modified an account ID on a Paypal donate button to hijack payment. So, pirates know that with hijacking, they can bypass all security problems.

Two factor authentication and security

In this case, all security factors that exist are useless: the client think he is on a legit payment page. He wants to pay. So he will receive a SMS or an email, put the payment code in the form, and validate the payment. Once the payment is hijacked, it's game over. The only thing that can protect the customer is the insurance. His bank will repay it. And his bank will be repaid by its own insurance. And the bank insurance will be repaid by the insurance of insurance. So, where is the problem ?

The answer of banks and payment companies

I contacted banks and payment companies to inform them about the problem, and to help them to secure this kind of vulnerability about the web and payments. Most of them don't care. Some of them called me and wanted some help, but at a very low cost. And one (a CEO of a London payment company), said me : "help me freely, or I'll take you to court". He has added: "Your poor little company will die in less than 6 months". Fantastic, isn't it ? So, I was called a Sunday morning by the police to hear me in relation to this case. Finally, there was a motion to dismiss. The complaint stated that I would enter the information system and servers of that person's company. And that's where we understand that many people do not understand the functioning of the internet : the POC only acts locally on a computer in a browser, and does not need to access any server.

Browser hijacking is a nightmare

DOM is really easy to manipulate, and browsers work with scripts called from CDN and external servers. If one script in a CDN is corrupted to hijack payments, all browsers will hijack your payments. Furthermore, Ad Exchange companies put scripts in websites you browse everyday, and sell to advertisers the possiblity to put their scripts/medias on the page you are browsing. Trojan horses or viruses are able to inject himself in browser to evade firewalls : they are in the place and can access the DOM. When a payment is hijacked, nobody is aware of that: the e-shop just see his customer leaving the website, and the customer thinks he has paid. Then, with Bitcoins and e-currencies, pirates can laundering money easily. SO, with a little imagination, a malicious person can do very bad things.

How to secure ?

I'm working on IT security solutions, and for this kind of problem, I created a service that helps prevent them. If you are a e-shopper or a payment company and want help on security, don't hesitate to contact me.

Adrien