Watch your card transaction activity this shopping season; research warns

  • Carding bots can emulate human behavior by creating a shopping cart and adding products to it along with the shipping information.
  • As we approach the holiday season, payment fraud cases are expected to rise in numbers.

An update regarding payment fraud has surfaced ahead of the big holiday season for this year as e-commerce businesses are expecting a surge in sales. Cybercriminals are now looking for ways to validate stolen card details for early gains using carding bots.

In a carding bot attack, stolen payment card information is checked for validity of the card on a merchant’s site through a brute force attack technique.

How do crooks test cards?

Those payment cards that may get expired or get blocked for abuse or inactivity, are verified by attackers before use in their attacks.

Crooks automate the authentication process of thousands of cards through bots. This attack technique includes targeting smaller websites that typically lack anti-bot defenses.

Bot behavior from the research

PerimeterX research team has uncovered two new carding bots that are being tested by cybercriminals by exercising a low-value purchase on retailer's websites.

  • One of the new carding bots, dubbed ‘canary’, was seen exploiting top e-commerce platforms, potentially used by thousands of other business websites.
  • The bot emulated human behavior by creating a shopping cart and adding products to it along with the shipping information.
  • The second carding bot, dubbed ‘shortcut’, would gain an upper hand by directly jumping to the payment page while avoiding the e-commerce website's shopping catalogue entirely.
  • E-commerce websites often take the help of external services to manage payment processes. The third party-services check payment cards through an API endpoint and return an answer. Attackers abuse these payment processing services used by the website.

Characteristics of the attack

Attackers generally share similar techniques to commit a particular type of fraud, as they also tend to use similar tools. When it comes to carding bots, the malicious activity is relatively easy to spot.

  • A payment attempt with an empty cart is a likely sign of malicious activity. Websites would also witness an increased number of payment authorizations, a higher rate of chargebacks, or a lower than usual average value of the basket.
  • Additionally, if you find a common user agent, IP address, session, or device fingerprint behind those attempts, chances are, a carding bot is at work.

Workaround solution

An easy way to thwart such attacks is to deny redirection to the payment page if the cart value is null. This may not work against all carding bots but simpler ones would be taken care of. Further, e-commerce website owners should pay more attention to advanced automated threats as the cybercriminals will return equipped with new TTPs.

Cyware Publisher