Support A2Billing :

provided by Star2Billing S.L.

Support A2Billing :
It is currently Thu Mar 28, 2024 9:26 am
Auto Dialer Software


All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: PayPal payment fraud
PostPosted: Mon Feb 27, 2012 10:07 am 
Offline

Joined: Mon Mar 02, 2009 8:56 pm
Posts: 271
I have a client who’s a2billing 1.9.4 install was used fraudulently. The hacker appears to have been able to fake PayPal top-up payments.

Looking at the logs it seems as though the transaction went through normally, with the initial request for payment and the response coming back from PayPal. The client says though there is no record of the payment in their PayPal account. The hacker made multiple $20 top ups.
Does anyone know if this sounds like a known issue?

Here are some log entries from when the fraud happened –

Apache Log -

72.64.131.229 is the address the attacker used and 66.211.170.66 is an address that resolves to e-bay/paypal.

Code:
72.64.131.229 DELETEDWEBADDRESS - [25/Feb/2012:05:25:20 +0000] "GET /index.php? HTTP/1.1" 200 5793 "https://DELETEDWEBADDRESS/userinfo.php" [8] "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
72.64.131.229 DELETEDWEBADDRESS - [25/Feb/2012:05:25:35 +0000] "POST /userinfo.php HTTP/1.1" 200 8520 "https://DELETEDWEBADDRESS/index.php?" [9] "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
72.64.131.229 DELETEDWEBADDRESS - [25/Feb/2012:05:25:39 +0000] "POST /checkout_payment.php HTTP/1.1" 200 11403 "https://DELETEDWEBADDRESS/userinfo.php" [10] "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
72.64.131.229 DELETEDWEBADDRESS - [25/Feb/2012:05:25:42 +0000] "POST /checkout_confirmation.php HTTP/1.1" 200 7648 "https://DELETEDWEBADDRESS/checkout_payment.php" [11] "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022)"
66.211.170.66 DELETEDWEBADDRESS - [25/Feb/2012:05:26:32 +0000] "POST /checkout_process.php?transactionID=46&sess_id=og7n0emjoauhnjspkah0kk1hu2&key=a660fcfc4efefcac036149fa0a1aaf0f HTTP/1.0" 200 0 "-" "-"
72.64.131.229 DELETEDWEBADDRESS - [25/Feb/2012:05:26:41 +0000] "GET/userinfo.php HTTP/1.1" 200 8524


Here are the details from the a2billing_epayment.log for the above transaction. It's a bit tricky to tie up the relevant entries as there were multiple transactions going through -

Code:

[25/02/2012 05:26:31]:[checkout_process.php line:41EPAYMENT :
transactionID=46 - transactionKey=a660fcfc4efefcac036149fa0a1aaf0f
-POST Var
Array
(
[mc_gross] => 20.00
[protection_eligibility] => Ineligible
[payer_id] => 78FTBJUGCWCKJ
[tax] => 0.00
[payment_date] => 21:26:28 Feb 24, 2012 PST
[payment_status] => Completed
[charset] => windows-1252
[first_name] => adam
[mc_fee] => 0.88
[notify_version] => 3.4
[custom] =>
[payer_status] => verified
[business] => [email protected] [5]
[quantity] => 1
[verify_sign] =>
A2iHyMsMvz7TFHtpfygEaYPRM0pNAFRUlbSrxMQ6ysffOBk6Pv68aaKb
[payer_email] => [email protected] [6]
[txn_id] => 0HT10106CV8399128
[payment_type] => instant
[payer_business_name] => Gem Cards
[last_name] => kjeer
[receiver_email] => [email protected] [7]
[payment_fee] => 0.88
[receiver_id] => 482TYDNEJSRCJ
[txn_type] => web_accept
[item_name] => DELETEDNAME
[mc_currency] => USD
[item_number] =>
[residence_country] => US
[handling_amount] => 0.00
[transaction_subject] => DELETEDNAME
[payment_gross] => 20.00
[shipping] => 0.00
[ipn_track_id] => 8d5d4f2ae383c
)
]

[25/02/2012 05:26:31]:[checkout_process.php line:87- QUERY = UPDATE
cc_epayment_log SET status = 2 WHERE id = 46]

[25/02/2012 05:26:31]:[checkout_process.php line:97- transactionID=46
EPAYMENT RESPONSE: TRANSACTIONID = 46 FROM paypal; FOR CUSTOMER ID
632; OF AMOUNT 20.000]

[25/02/2012 05:26:31]:[checkout_process.php line:126-OPENDING HTTP
CONNECTION TO ssl://www.paypal.com]



a2billing_epayment.log

Code:

[25/02/2012 05:26:32]:[checkout_process.php line:272-transactionID=46
---------- TRANSACTION INFO ------------
Array
(
[0] => Array
(
[0] => 46
[id] => 46
[1] => 632
[cardid] => 632
[2] => 20.000
[amount] => 20.000
[3] => 0
[vat] => 0
[4] => paypal
[paymentmethod] => paypal
[5] =>
[cc_owner] =>
[6] => XXXXXXXXXXXX
[cc_number] => XXXXXXXXXXXX
[7] => -
[cc_expires] => -
[8] => 2012-02-25 05:25:42
[creationdate] => 2012-02-25 05:25:42
[9] => 0
[status] => 0
[10] =>
[cvv] =>
[11] =>
[credit_card_type] =>
[12] => USD
[currency] => USD
[13] => 0
[item_id] => 0
[14] =>
[item_type] =>
)

)
]

[25/02/2012 05:26:32]:[checkout_process.php line:316-transactionID=46
CARD FOUND IN DB (632)]

[25/02/2012 05:26:32]:[checkout_process.php line:328-transactionID=46
Update_table cc_card :  credit = credit+'20' - CLAUSE :  id='632']


Any help appreciated. Let me know if any other logs would help. Thanks.


Top
 Profile  
 
 Post subject: Re: PayPal payment fraud
PostPosted: Wed Mar 07, 2012 12:34 pm 
Offline

Joined: Sun Aug 27, 2006 3:43 am
Posts: 91
Have you found any solution yet.


Top
 Profile  
 
 Post subject: Re: PayPal payment fraud
PostPosted: Sat Apr 07, 2012 2:11 pm 
Offline

Joined: Sun Jul 04, 2010 4:39 pm
Posts: 5
I ran into the same problem with a newly installed A2Billing 1.9.4.
Someone signed up 10 account in a short period of time and topped up with paypal while the A2B system remains at the default paypal account "[email protected]", and the payment still went through!!! How does something like this happen???

Through out all the account this guy created, I found 2 paypal accounts were used to make those payments. I was forced to disable paypal payment and the web signup feature because I do not know how such thing was achieved.

So here is the log:

Code:
[02/04/2012 06:12:57]:[checkout_process.php line:41EPAYMENT : transactionID=1 - transactionKey=d20bb3dfd92486b4d48bbf8b89e76593
-POST Var
Array
(
    [transaction_subject] => DELETEDNAME
    [payment_date] => 23:12:51 Apr 01, 2012 PDT
    [txn_type] => web_accept
    [last_name] => Meussner
    [residence_country] => US
    [item_name] => DELETEDNAME
    [payment_gross] => 10.00
    [mc_currency] => USD
    [business] => [email protected]
    [payment_type] => instant
    [protection_eligibility] => Ineligible
    [verify_sign] => Ae-XDUZhrxwaCSsmGO9JpO33K7P1ArSTsWyt.G4Hnc-EJTXYHdV72bNv
    [payer_status] => unverified
    [tax] => 0.00
    [payer_email] => [email protected]
    [txn_id] => 8C682152XP570713D
    [quantity] => 1
    [receiver_email] => [email protected]
    [first_name] => Michelle
    [payer_id] => Q9RVBBMSJZBE8
    [receiver_id] => WD73BUUR8K8PC
    [item_number] =>
    [handling_amount] => 0.00
    [payment_status] => Completed
    [payment_fee] => 0.69
    [mc_fee] => 0.69
    [shipping] => 0.00
    [mc_gross] => 10.00
    [custom] =>
    [charset] => windows-1252
    [notify_version] => 3.4
    [ipn_track_id] => abf3148923b36
)
]


Array
(
    [transaction_subject] => DELETEDNAME
    [payment_date] => 00:22:36 Apr 02, 2012 PDT
    [txn_type] => web_accept
    [last_name] => Schocket
    [residence_country] => US
    [item_name] => DELETEDNAME
    [payment_gross] => 30.00
    [mc_currency] => USD
    [business] => [email protected]
    [payment_type] => instant
    [protection_eligibility] => Ineligible
    [verify_sign] => AIkKNboJiyuxWLOHUlzTd3lpqCSxApjtDhY8MEO0CXmPlDOMeAsZaQkA
    [payer_status] => verified
    [tax] => 0.00
    [payer_email] => [email protected]
    [txn_id] => 42E27104FU146681S
    [quantity] => 1
    [receiver_email] => [email protected]
    [first_name] => Sherri
    [payer_id] => WLB4LFN7KANCL
    [receiver_id] => P9YX36QDJFTFE
    [item_number] =>
    [handling_amount] => 0.00
    [payment_status] => Completed
    [payment_fee] => 1.17
    [mc_fee] => 1.17
    [shipping] => 0.00
    [mc_gross] => 30.00
    [custom] =>
    [charset] => windows-1252
    [notify_version] => 3.4
    [ipn_track_id] => d7d7728993f99
)
]



Does anyone know how this was done? And how can we prevent this?


Top
 Profile  
 
 Post subject: Re: PayPal payment fraud
PostPosted: Thu Apr 12, 2012 7:29 am 
Offline

Joined: Sat Oct 13, 2007 4:07 am
Posts: 189
Yeah, you do like ALL the other company selling minutes online. you valdiate the person before allowing them to use the credits.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 
Predictive Dialer


All times are UTC


Who is online

Users browsing this forum: No registered users and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group