19 November 2019

Cybercrooks using new carding bots to test stolen payment info ahead of holiday season

Cybercrooks using new carding bots to test stolen payment info ahead of holiday season

With the holiday shopping season swiftly approaching, online fraudsters have started to test the validity of stolen payment card details using new carding bots on the checkout pages of e-commerce websites. Security researchers at web app security company PerimeterX have spotted two such carding bots while investigating the surge of attacks against checkout pages. One of the new carding bots, dubbed the Canary bot, exploits top e-commerce platforms, which could have a significant impact on thousands of websites if they are not blocked soon. The second carding bot, dubbed the Shortcut bot, exploits the card payment vendor APIs used by a website or mobile app and bypasses the e-commerce website entirely.

As the researchers pointed out, the difference between malicious actors and the real shoppers is that the latter tend to buy less before the holiday season. Instead, PerimeterX observed a large spike in malicious traffic before the holiday season, in some cases it has increased to over 700% since September.

To verify the cards, the attackers usually make a low-cost purchase. Once validated, a card can then be used for big-ticket items, resulting in hefty losses, which are often covered by retailers and payment processors.

“Malicious bots, like the canary carding bot, increase stolen card validation activity with small-value transactions leading up to the holidays. Canary carding bots explore well-known platforms and test their vulnerabilities to carding attacks to exploit a potentially large number of e-commerce website users,” the researchers wrote.

One of the discovered bots, the Canary bot, was spotted in at least two attacks targeting the checkout pages of e-commerce websites built on one of popular e-commerce platforms. The first attack was discovered when the research team noticed that a Safari browser version from 2011 was changing IP addresses on a daily basis. These IP addresses originated from cloud and colocation services, which raised suspicions since real users rarely use cloud services for shopping.

The bot was attempting to mimic human behavior, it was creating a shopping cart, then it was adding products to it, and also providing shipping information.

The second attack associated with the Canary bot appears to be more sophisticated, unlike the previous attempt it was changing IP addresses and user agents (browsers and devices) every few requests in order to imitate the human traffic. In this second attack the crooks were simply adding the product to the cart, skipping the product page and going to checkout.

Unlike the Canary bot, the Shortcut bot takes a more direct approach, skipping out on adding products to the cart and completing the billing process in an attempt to avoid detection.

“E-commerce websites often use external services to handle the payment process. Some payment services prefer direct access through an API endpoint that verifies the credit card and returns an answer. This direct API call is attractive to the shortcut carding attackers who can validate cards without the need to put any product in the shopping cart or completing the billing process,” PerimeterX explained.

The researchers also added that in order to be prepared against such attacks e-commerce website owners can take a number of actions, for example, they should prevent visitors from getting into checkout pages without an item in the cart, and also they should pay more attention to advanced automated threats.

Back to the list

Latest Posts

TrickBot campaign lures new victims with annual bonuses

TrickBot campaign lures new victims with annual bonuses

The malware operators abuse Google Suite to deliver malicious payload.
10 December 2019
New Linux vulnerability allows hijacking VPN connections on Unix systems

New Linux vulnerability allows hijacking VPN connections on Unix systems

The flaw affects most Linux distros, as well as other Unix-like operating systems including FreeBSD, OpenBSD, macOS, iOS, and Android.
9 December 2019
North Korean hackers adopt a new technique to infect macOS machines

North Korean hackers adopt a new technique to infect macOS machines

The found sample appears to be the Lazarus group's first in-memory malware targeting the Apple operating system.
6 December 2019