How do I know if a website is safe to use my credit card?


With regular reports on hacked businesses, database breaches, Internet vulnerabilities, and online credit card theft, internet users are rightly worried about making online purchases of fear that their personal information may be compromised by attackers. But where does legitimate worry end and outright paranoia begin? In this article, I will try to allay some of that anxiety and provide users with knowledge on how to shop safely online.

It’s a big scary canvas

In a previous two-part series on this blog, we detailed the general overview of the web’s ecommerce environment and explained why some websites are more prone to credit card theft than others.

E-commerce websites can be grouped into two main categories: e-commerce websites operated by dedicated companies and independent websites operated by the site administrators themselves. The first category includes larger and well-known platforms like Amazon, Shopify, Etsy, and others. The latter includes all the websites where the store has created their own e-commerce website, usually on shared or VPS hosting. It is in this latter category of independent websites that the overwhelming majority of credit card theft occurs. You can check out the series of articles I linked to above for more background.

If you don’t know how to tell if a website is using a managed platform or not, our SiteCheck tool can be a very useful friend! If you scan a website and navigate to “Javascript included“Area of ​​the More details section, it can give you relevant information. Here is an example of how to determine if a website is using Shopify:

If you’re nervous about putting your credit card information on a checkout page, you don’t have to worry if they are using a large, well-known platform like Shopify (assuming your computer / browser is not infected – make sure you are using an antivirus software!). If you’re looking to be safe in a family-friendly ecommerce store, let’s explore a few red flags you can be wary of.

Blocklist resources

Credit card and online security companies take credit card fraud very seriously. They have dedicated teams of people working full time to make sure their customers are as safe as possible from threats. Credit card companies will collect data from “common points of purchase”For known fraud cases and often contact the administrator of the website in question to inform them of the threat. In severe cases, website administrators can be fined several thousand dollars for letting their websites be attacked. Taking website security seriously is of the utmost importance if you are operating such a store.

Authorities such as Google will maintain a block list of websites that are known distributors of malware or that contain active threats loaded from malicious domains. Websites that violate Google’s security policies will quickly find themselves blocked.

If you see such a warning when trying to visit any website or checkout page, I would advise against proceeding. There are many other vendors (including ourselves) that maintain a list of known attack websites. You can always connect the e-commerce store in question to a website such as VirusTotal to see if it is being reported by vendors.

It should be mentioned that some providers are much more reputable than others. Just because a vendor reports the site does not necessarily mean they are infected. Some blocklist warnings will also be left from a previous infection that has already been resolved, so this is not a panacea, just something to be wary of!

Antivirus programs

Security applications that actively monitor and protect your computer against malware and other threats also often intercept suspicious traffic occurring in your web browser.

Different antivirus programs work in different ways, but they all try to protect you as much as possible. With the recent increase in web-based anti-virus and credit card theft programs, anti-virus programs have actively improved their signatures and the detection of these threats.

If you receive a warning / notification from your antivirus program, you should not proceed with the purchase and it is advisable to notify the website owner of the warning.

Pro Tip: Providing a helpful screenshot when reporting issues is always recommended!

Poorly maintained websites

Most often (but not always), the websites that tend to be affected the most by credit card theft malware tend to be the ones that aren’t properly maintained. While it’s not always possible to tell from the outside, sometimes you can! Our SiteCheck tool can identify websites that are running outdated versions of WordPress or other CMS platforms. Other tools such as MageReport (specific to Magento sites) will also attempt to determine if the website is missing any security patches:

Websites that lack security patches or use outdated CMS installations should be avoided as a precaution.

Suspect javascript

If you want to dig a little deeper, you can also put on your security analyst hat and use some of the same tools we use to identify threats on e-commerce websites. Two of these tools that I would recommend are NoScript (for FireFox) and ScriptSafe (for Chrome).

These browser extensions are invaluable tools when examining the JavaScript that loads on a website. They also do a terrific job of making the online web browsing experience much safer, although they are a bit boring getting used to at first.

When you visit an eCommerce website, you can check to see if there are any resources being loaded from suspicious domains.

Websites frequently grab javascript and other content from third-party domains, and it takes some experience to know what is owned and what is not. If you are not sure, you can connect the domains to VirusTotal and see if there are any providers that report them as suspicious or malicious.

Here is an example of a known credit card exfiltration domain that throws several warnings:

You can also run a who is order on a domain if you are not sure. Malicious domains usually have a short lifecycle, so a recent registration date is a red flag:

$ whois  cdn-bootstrapcdn[.]com   
  Registry Domain ID: 2616864123_DOMAIN_COM-VRSN
  Registrar WHOIS Server:
  Registrar URL:
  Updated Date: 2021-09-17T19:20:07Z
  Creation Date: 2021-06-02T20:48:51Z
  Registry Expiry Date: 2022-06-02T20:48:51Z

Malware is devious by design, and its authors go to great lengths to disguise and disguise it. Here is an example of credit card theft JavaScript injection claiming to be the popular website analytics service. Hot pot:

At first glance, it seems benign, until you notice the use of the a to B function and some sneaky base64 encoded strings. After the obfuscation is removed and JavaScript executed, it is actually a credit card skimming that loads malicious resources from a firchtech malicious domain[.]X Y Z

It should be mentioned that credit card theft malware can be both browser side (JavaScript) and on the server side (PHP). JavaScript malware can be detected by your antivirus program and by inspecting the front-end web page. PHP server-side malware, on the other hand, can not! It runs surreptitiously in the background and can siphon credit card details without leaving a trace. Without access to the website backend, you only see half the story.

Better safe than sorry

For the average internet user, there really is no way to know for sure whether a website can safely enter your credit card information. Although users should be wary, this is not necessarily a reason to close themselves off from the world of e-commerce altogether.

Do your best to be cautious. Avoid websites that can be considered poorly maintained or that are blocked by reputable providers.

Credit card companies will do their best to block suspicious transactions, but be aware that once a credit card number is stolen, it is usually only a matter of days before it fails. be offered for sale on the black market. In the final analysis, your best bet is to regularly check your credit card statement for transactions you haven’t made yourself and to contact your credit card company immediately if you see anything suspicious.

If you are an e-commerce website owner, consider signing up for our website security services to protect your website from attackers and credit cards.


Comments are closed.