SOURCE DEFENSE RESEARCH INTELLIGENCE NEWS 

April 29, 2025

DOUBLE-ENTRY ATTACK WITH CONVINCING FAKE FORMS TRIGGERED FROM NON-SENSITIVE WEBPAGES 

Recent attack exploits unprotected, non-sensitive webpages to deploy customized fake payment form per site

Attackers are continuously evolving their methods to steal credit card data without detection. In this case, we’ve identified a custom-made attack that deploys a fake payment form tailored to each target site. In addition to mimicking the site's branding, including the logo, the form features an address autocomplete component—as shown in the screenshot below.

What makes this attack especially deceptive is that it’s triggered from a non-sensitive page. This means websites that don’t monitor all of their pages may struggle to detect it.

Another interesting item to note is that the PCI Council has not yet required enforcement of client-side controls (Requirements 6.4.3 and 11.6.1) on non-payment pages .This means that such an attack can occur on a site that complies with the requirements. The bottom line is that this attack underscores why extending protections beyond payment pages is essential.

How does it work?

The attack code is activated when a user clicks the checkout button. It’s customized to match each site’s unique button labels and behavior. This action loads the fake payment form from a malicious domain, complete with the site’s logo and address autocomplete functionality. Once the user enters their data, it's sent directly to the malicious domain—after which the legitimate payment form is loaded.

How does Source Defense protect you from such attacks?

Source Defense continuously monitors for and identifies emerging attacks, ensuring that malicious domains are swiftly detected, blacklisted, and blocked — often before they are flagged by other security providers.

It's important to note that because the malicious code is launched from a non-payment page, only customers with full protection coverage — our Standard Protect product — are safeguarded against such threats. Limited Protect, which covers only payment pages, does not provide protection in this scenario.

How will you be alerted?

In this attack, the following alerts would be triggered if using the Source Defense system:​

• New first party script identified - flags unknown or suspicious scripts
• New behaviors identified:
  ○ Accessing PCI data
  ○ Accessing PII data
  ○ Sending data to blacklisted domain

These alerts would be prominently displayed in:

• The bell notification center 
• The dashboard summary (marked in red)

The 'Found in blacklists' and 'Script behaviors' widgets with suspicious activity, both highlighted in red.