Magento Paypal Carding Attack 0$ Order Checkout Hack

April 22, 2021 Written By Hemant Parmar

Talk to Experts Need expert help? Don’t hesitate to talk.

You can do direct email


We would love to hear about your Magento project, challenge, or opportunity. We'll respond within 24 hours!

eCommerce sites are the hot favorite and always be a target for crooks and attackers, they are the information center of personal and financial data. for businesses of all sizes, the cost of a breach both in loss and data and in customer trust leads to damage for businesses.

Do you know that hacker’s group has broken into more than 570 eCommerce stores in the last three years? The reasons could be lesser security, platform, and vulnerabilities, and also it is confirmed that most of these stores run on Magento CMS. Well, it takes many years to build an eCommerce store and to have a significant clientele. Hence, it is always a good idea to protect your eCommerce website from bad bots and ensure safety.

Magento, the leading platform that makes online shopping easy and fast and allows retailers to create shop fronts and shopping carts for their websites is also under security threats. However, hackers are attracted by the large numbers of user’s information and the accompanying swathes of data which spell huge profits for attackers and correspondingly huge losses for website owners.

The aim behind such attacks is to breach financial information to use for further use like sale, shopping, or to perform criminal activity. The only reason hackers have been successfully attacking a such number of stores is because that most of the stores are running on an older version of Magento which has less security, privacy, and performance compared to Magento 2 which was released in 2010.

Also Read : Types of Cyber Attacks You Need To Secure Your Business From

The most common attack that has been placed by an attacker is Carding attack. It’s a credit card fraud where attackers use stolen credit cards to charge prepaid cards and sell them to other people. Because you know that credit cards are often canceled quickly after being lost, and that’s why carding involves testing the stolen card information to see if it still works. One way thieves test card information is by submitting purchase requests on the internet, something that can impact merchants.

Usually, attackers make the purchase by sending zero payment requests and test all the stolen cards they have. Zero payment request is a method that is used by attackers to check stolen credit cards and test if it works or not.

There are many ways to attacker’s attack stores and break the security threats including Ransomware, Brute force attack, Phishing attack, Website defacement attack, CardBleed, Magecart, Magento Backdoor, and Magento file injection.

What is a Zero PayPal Payment Request?

Zero PayPal Payment request is a method of requesting payment with a credit card to retailers or online sellers to check whether the card is working or not. Well, this request is being misused by hackers as they buy stolen credit cards from the thieves or market and use them to shop.

PayPal has a range of options for making and receiving payments and 0 PayPal request is one way to request payment. However, the rise in cybercrime is increasing over time and no wonder attackers are always in the search of a hunt to breach store information and data.

Also read: Paypal Ended Support for Magento 1 before its End of Life

The reason why crooks use 0 payment request is that PayPal is the only Payment gateway that accesses to send a 0 payment request. Requesting money on PayPal is easy and that’s the reason most of the time attackers use this method to attack stores. Let’s understand how it is used and implemented by attackers.

So, at first, attackers buy stolen credit cards from the market or thieves and store those credit cards to use further. Then they test each card one by one and check if there’s any card with, they can make a purchase or send 0 payment request with PayPal.

After testing and checking plenty of credit cards, they send a payment request to online retailers with those unknown cards and submit a purchase. With 0 PayPal payment request, attackers try to use stolen cards and misuse for criminal activities or uses.

So far, many stores have been attacked by crooks and if not properly secured, credit card numbers and other data can be stolen by hackers, leaving financial impact and loss of reputation for the eCommerce provider.

Order Checkout for 0$ Purchase hack in Magento 2

Often, multiple Magento users are targeted by attackers in one go, and may increase the popularity of Magento online stores become the attention for attackers. However, it is important to understand the impact of a weak and fragile security policy than be sorry later.

So, it is going this way: crooks are constantly visiting Magento stores that support PayPal only to check the validity of credit cards, which they have bought from stolen card forums.

As discussed above, these attackers are doing hundreds of $0 transactions on every kind of Magento store (i.e., Magento 1 and Magento 2) for verifying the authenticity of card details. The details of cards which hackers are testing on such platform come from the dark cybercrime forums online.

Also read: Ecommerce Fraud Protection for Online Merchants

In Magento, as a safety measure, the Magento team has also announced that PayPal holds the right of suspending accounts with repeated automation operations on any online store website.


Do you want to secure your store from being attacked by hackers? Then your all sites need a Magento audit as online stores are ideal quarries for attackers as they can steal personal and payment data which is required for purchase.

Need a help with security audit for your Magento 2 store websites? M-connect Media can help you here. We have experienced and Certified Magento Developers who can help you with security review, Magento code audit, and Malware check. Our specialists do everything to protect your online stores from a potential cyber attack.

Need Magento expert help?

We provide result-driven solutions to expand the competency level and productivity.

Instant Help CenterAvailable!

Monday to FridayResponse promised within 24 hours!

Call Us

+1 319 804-8627

Load Comments

Your email address will not be published. Required fields are marked *

5 4 3 2 1

  • Worried for deadlines? Our Magento Experts are effortlessly Working from Home.
  • Check out our Magento Developer Hiring Packages for Agency as well as individuals.
View Packages

Talk to Experts Need expert help? Don’t hesitate to talk.

You can do direct email


We would love to hear about your Magento project, challenge, or opportunity. We'll respond within 24 hours!

Please fill this form, Mr.Yogesh will reply by email asap.

Please fill this form, Mr.Darshit will reply by email asap.

Please fill this form, Mr.Jayesh will reply by email asap.

Please fill this form, Mr.Jiten will reply by email asap.