Almost every transaction on the Internet is riddled with risks, and the use of online payment processing platforms is no exception. With more people opting to transact online and use digital wallets, threat actors have much to gain by targeting online payment processing platforms. Attack surface reduction is, therefore, crucial for companies within this sector.

But with a wide range of attack vectors targeting online payment processors, how is attack surface reduction possible? Attack surface management is key. Using data sources for attack surface management, we analyzed three of the biggest payment processing companies’ attack surfaces and discovered some interesting insights.

The Data: PayPal, Transferwise, and Payoneer

The three online payment processing companies are among the most popular and widely used today. Among them, PayPal has the most significant market share, with 295 million users. It is also the oldest company, having been founded in 1998. Payoneer started about 15 years ago and has amassed 4 million users. On the other hand, Transferwise is relatively new, having started only in 2010. Still, it has 5 million active users.

Payoneer and Transferwise are mostly used by remote workers and freelancers, while PayPal has also taken over the e-commerce market as one of the primary payment methods. The three companies have more than 300 million users in total, making them prime and lucrative targets for threat actors.

To begin the attack surface reduction process, we compiled a list of possible attack vectors for PayPal, Transferwise, and Payoneer in the form of domains and subdomains.

The More Users, the More Subdomains

While this is an obvious inference when talking about website infrastructure, data gathered from the attack surface management solution reveals that cybersecurity is also an issue. Note that each piece of information obtained for this study was processed to ensure that they don’t belong to the online payment processing companies. Hence, all subdomains are not owned by PayPal, Transferwise, or Payoneer, highlighting the need to see how they are being used.

PayPal, which has the largest number of users among the three, also has the highest number of related subdomains. We saw 7,393 subdomains containing the string “paypal.”

Around 88 subdomains were related to Payoneer, while 31 contained the string “transferwise.”

Subdomains Pointing to Downloadable Apps

One of the most noticeable types of subdomains among the three payment processing platforms is those that point to downloadable applications.

For Transferwise, about 26% of the subdomains were owned by Softonic. While the software and app discovery platform is legal and legitimate, we have seen reports of malware downloaded along with the apps. For utmost security, the best practice is to download apps directly from their developers’ or owners’ sites.

As part of the attack surface reduction process, the payment processors could work with Softonic and other app discovery platforms to ensure that their apps are free from malware.

Unused Subdomains

Another glaring characteristic in the data is the presence of several unused subdomains. For instance, all three company names appear in multiple Zendesk subdomains, some of which are unused.

To illustrate, we took a website screenshot of the subdomain payoneer-office[.]zendesk[.]com and was greeted with the error message shown below.

Quite several Zendesk subdomains in this study returned the same error, which means that they are (most likely) no longer used. For attack surface reduction, either of these things can be done:

• If PayPal, Transferwise, and Payoneer owned these Zendesk accounts before, they would do well to have the subdomains removed and/or monitor it.
• If the companies have no association with the Zendesk subdomains, they could be dealing with a typosquatting campaign and must address it properly.

Subdomain takeover could be detrimental to both the owner (e.g., Zendesk) and the companies being imitated (e.g., PayPal, Transferwise, or Payoneer). It could result in user account takeovers and data breaches.

On the other hand, downloaded applications that could be laden with malware would eventually harm the companies’ reputation. These attack vectors should be accounted for and dealt with through attack surface reduction.