Jump to content
Shellanza

Phishing with official Module?

Recommended Posts

Hello there,

I'm with Prestashop 1.7 and I'm trying to configure the preinstalled module.

When I start the process this is what's going on:

1) I click "configure" the module through the "installed modules" page. Paypal v4.2.1 by Prestashop

2) I'm then in the Prestashop backend page where I click "ACTIVATE" to start the project

3) I'm going to be redirect on Paypal login page (https secure, a real page...)

4) I enter my user and pass (that system recognize) and then I follow the steps to the end when I get the "You authorized Prestashop" and a blue button to "Back to Prestashop"

 

If I proceed my Antivirus tell me this is phishing and to be honest the URL given to return is quite weird. You can see on the screenshot I attached on the very bottom of the page

 

What the hell is going on? Maybe I have just to tell antivirus that this is a "false positive"??

 

 

Screenshot 2018-01-26 11.36.32.png

Screenshot 2018-01-26 11.36.02.png

Share this post


Link to post
Share on other sites

Hello,

We thank you for the interest you have shown in our module.

Please register and create a ticket on our support portal so that we can help you:
=> http://support.202-ecommerce.com/

As soon as receipt of your ticket we will contact you to give you a solution.

Best Regards,- 202 ecommerce

Share this post


Link to post
Share on other sites

Basically they are using an open auth connection to make it easier to connect paypal. This is so you do not have to enter creds that lots of people get wrong and lead to the 1002 error people get with paypal. The downside is you give them the ability to view your transactions and account history. So that is likely used for stats collecting against your company. 

Share this post


Link to post
Share on other sites

Thank you for explanation @DH42

I saw that domain is registered to 202, and that data that are send admin name and email as well as shop name and address. Like you said probably for stats collecting.

Share this post


Link to post
Share on other sites

@ Shellanza - ignore ? No, this module is against ec-rules. It should be not used. Developer should remove the part of collecting your data, no matter for which purposes he is collecting them. 202 is as well an EC company, they know that this is going against EC-laws.

Share this post


Link to post
Share on other sites

Hi all,

Thanks you for contact us again,  For information, this domain is safe. It's the intermediate server. He make redirect on your website with your credentials. It'a a false positive. 

For more questions, please register and create a ticket on our support portal so that we can help you:
=> http://support.202-ecommerce.com/

As soon as receipt of your ticket we will contact you to give you a solution.

 

Thanks you 

Support Team 202 e-commerce

Share this post


Link to post
Share on other sites

@selectshop.at thanks for joining this topic. About any alternative you have some suggestions?

@everybody else I followed their suggestions and I opened a ticket with them: they told they same as here. It's a "false positive" and I have no others information about how that works.

 

 

 

Share this post


Link to post
Share on other sites
1 hour ago, Shellanza said:

@selectshop.at thanks for joining this topic. About any alternative you have some suggestions?

Unfortunately there is no other Paypal module for free available. Prestashop should remove this from core as not suitable for EC (I already opened a ticket on forge bugtracker for this).

What you can try is to use any other module with gateway to standard Italian banks. In this case customer will pay directly from his bank account, so very secure payment for you (Skrill, Ingenico, HiPay etc...) - If module not on your back-office, than you can download them for free of addons site: https://addons.prestashop.com/en/481-payment

Share this post


Link to post
Share on other sites

HI,

Thanks you for contact us, here's how the integrated payment method works on your e-commerce platform:


1 / The buyer chose to pay with PayPal
2 / Your site sends an API request to PayPal called "SetExpressCheckout".
3 / PayPal responds to this API request by providing a "token" (Starting with EC ...).
4 / Your site uses this token to redirect the buyer to the PayPal payment page via the URL:
https://www.paypal.com/cgi-bin/webscr?cmd=_express-checkout&token=XXXX (where XXXX is the token returned in the previous step).
5 / The buyer chooses his payment solution and clicks on "Pay" or "Continue" (this depends on your integration).
6 / The buyer is redirected to your site that runs the GetExpressCheckout API (optional) and DoExpressCheckout (required) to make the payment.

 

You can contact us via the form provided for this purpose on the page of your Prestashop module.
For the module named "PayPal Europe - Official Module": http://addons.prestashop.com/en/1748-paypal.html

 

Thanks you 

Support Team 202 e-commerce

Share this post


Link to post
Share on other sites

@202 ecommerce - this was not really the question. How it works is clear, but not what happens behind, i.e. that the module (as intermediate) is collecting not explicit allowed third party information for stat purposes (this information is not given anywhere when you install/activate the module, nor I have a possibility to dissent to this data collection), which is not according to EC rules.

The link you added one post before is for the same module coming with Prestashop core. ;)

Share this post


Link to post
Share on other sites

Hi all,

First of all, sorry for our previous answers which were not relevant.

New PayPal module (ie : PayPal version 4.x) has a new onboarding engine. As mentioned below, this engine avoids API credentials copy and paste, which was a major issue faced by merchants with our module. This new onboarding engine also allows merchants with no PayPal account to create an account right in the onboarding process.

This new onboarding engine uses a bounce server (pp-ps-auth.com), to access PayPal specific resources. Bounce server is used for security reasons, no data is collected / stored, data is only pushed to PayPal. Schema has been designed with PayPal.

Thanks @Shellanza for your alert, you are the first to face such false positive. We will contact antivirus maker ESET to see how we can remove this alarm.

Pierre
202 ecommerce

Share this post


Link to post
Share on other sites

@202ecommerce

Sorry, but also for the push service (overmore a third party service without any relation to Paypal), you need to inform to the customers using your module, that you are pushing data and collecting them for a while BEFORE THEY INSTALL YOUR MODULE. Transparency and consent are missing. Without the explicit consent of any EC-user, your module is not according EC laws and not suitable.  There is no need for to use the push service.  There is no excuse. Personally I'm not comfort with third party integrations in a module, because this undermines any law, security, etc. In case of stolen data I, as shop owner offering this kind of service with your module, will be legally responsible. And you as module provider/push service provider will acquit yourself.

Furthermore most of the people using Paypal know what Paypal is and they have a Paypal account, so it should be the majority in this case and not the minority. So why are you using this architecture, and this without any consent or information ? Change it, and make it according to

And the false positive is not only given by ESET. Test with other firewalls.

Share this post


Link to post
Share on other sites

 

Hi,

1 - We don't push any data before merchant install module, then clicks button "Activate" in module configuration screen.

2 - No data is stored by 202 : data is transferred to PayPal & used for pre-fill subscription process fields (merchant can change).

3 - PayPal, as a payment solution in EC, has strong legal commitment, including on security topics. Working with a third party does not free PayPal form theses commitments.

The new subscription process is more safe & simple. I will share your feedback with PayPal for further investigations.

Pierre
202 ecommerce

Share this post


Link to post
Share on other sites

Hi Piere,

there is nothing safe, if you use push services. This could be intercepted, cause you are using a middleman.

1 - I'm not saying that you are reading data BEFORE module is installed.

2 - There is no guarantee of this nowhere, what your servers are doing or not. You are not informing about that there is a third partie service (middleman) involved on the course of data transfer to Paypal. You are surely not anonimizing data as requested per law, because this data is needed for Paypal account. Furthermore if you really want to go ahead by this way you at least need to have the explicit consent from module user for this. There is no form popping-up on where you can disagree or agree to that.

3 - Not relevant in this case. Paypal is Paypal. We are talking about what your module is doing and not Paypal service per se.

4 - Technically there is no need to use a push service for to connect to Paypal. Make your module according to ePrivacy Directives 2002 and all will be ok and nobody will have any claim on your module.

Conny

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×