Online fraudsters are using carding bots on the checkout pages of e-commerce websites to test the validity of stolen payment card details prior to exploiting stolen card details during the Black Friday shopping fest.
Security researchers at web app security company PerimeterX have uncovered two carding bots being used by cyber criminals to test the validity of stolen payment card information ahead of the holiday season. Stolen cards that are found valid will be used on the occassion to make large-scale purchases on e-commerce websites.
While the canary bot is exploiting top e-commerce platforms that run thousands of shopping websites, the shortcut bot is exploiting card payment vendor APIs, thereby bypassing e-commerce websites completely.
An analysis of checkout page traffic by PerimeterX revealed that while there is a 15% drop in traffic on part of regular customers who are saving up to benefit from Black Friday deals and offers, there has been a 700% rise in malicious traffic, indicating that cyber criminals are carrying out carding attacks on a large scale ahead of the holiday season.
Carding bots exploiting bugs in e-commerce platforms & lack of API controls in payment services
“Malicious bots, like the canary carding bot, increase stolen card validation activity with small-value transactions leading up to the holidays. Canary carding bots explore well-known platforms and test their vulnerabilities to carding attacks to exploit a potentially large number of e-commerce website users,” wrote Kenji Yamamoto, senior cyber security research analyst at PerimeterX, in a blog post.
This type of carding attack involves fraudsters creating a shopping cart, adding products to the cart, setting shipping information, and finally executing the carding attack using IPs originating from cloud and colocation services.
In order to obfuscate their signature, the fraudsters change their IP and user agent at a high rate and use a relatively primitive botnet which is sophisticated in terms of distribution, IP addresses, browsers and devices in order to impersonate human traffic.
“In the months leading into the holiday season, our research team has been seeing an increase in carding attacks on customers of this top e-commerce platform. We see the same attack patterns across multiple sites using various e-commerce platforms. The attack variations did not change much after the first two main revisions.
“However, we are certain the attackers will persist and target sites that don’t have adequate bot protection against carding attacks. The canary carding bot is taking advantage of the knowledge gained in recent attacks and possibly targeting thousands of sites built on popular e-commerce platforms,” Yamamoto added.
He also spoke about Shortcut carding bots that exploit the card payment vendor APIs used by a website or mobile app and bypass the target e-commerce website completely. This way, these bots are able to shorten their user flow and time on the target website or mobile app, thereby avoiding detection and mitigation.
He said that the use of a payment vendor’s API to validate a payment card is hard for website owners to mitigate as the payment vendor’s API integration with e-commerce sites will have transaction volume limits as well as low chargeback thresholds.
The increase in the number of e-commerce websites using third-party payment services as well as an increase in the number of payment processors that lack good API controls are contributing to the increase in shortcut carding bot attacks.
E-commerce website owners must guard against advanced automated threats
Yamamoto added that in order to prepare against the extensive use of carding both by online fraudsters, e-commerce website owners should prevent visitors from getting into checkout pages without an item in the cart, and should also pay more attention to advanced automated threats.
Commenting on the increasing use of carding bots by online fraudsters, Robert Ramsden-Board, VP EMEA at Securonix, said that considering the holiday season is fast approaching, it comes as no surprise that we are seeing new and increasing bot activity on retailer websites as cybercriminals prep themselves to make their illicit gains.
“Using bots to validate stolen card details before running fraudulent transactions is a common tactic and retailers that lack anti-bot defences are at an increased risk. Retailers should implement controls to recognise suspicious bot activity and pay close attention to anomalous behaviours to be able to act fast and safeguard their customers,” he added.