“While investigating these increasing attacks against checkout pages during the months leading into the holiday season, the PerimeterX research team uncovered two new carding bots.” reads the analysis published by PerimeterX. “One of the new carding bots, dubbed the canary bot, exploits top e-commerce platforms, which could have a significant impact on thousands of websites if they are not blocked soon. The second carding bot, dubbed the shortcut bot, exploits the card payment vendor APIs used by a website or mobile app and bypasses the e-commerce website entirely.”
Researchers from PerimeterX spotted two such carding bots targeting e-stores running carding attacks ahead of the holiday shopping season.
The following graph shows the checkout page traffic across PerimeterX customers in September 2019.
Experts pointed out that real shoppers differ from bad actors because they make purchases less before the holiday season. Instead, the experts at PerimeterX observed a spike in malicious traffic before the holiday season, in some cases it has
The first bots called ‘Canary’ was observed in at least two attacks aimed at a particular e-commerce platform used by thousands of businesses.
“Canary carding bots explore
Researchers were able to detect the first Canary bot attack after noticing a Safari browser version from 2011 changing IP addresses on a daily basis and that originate from cloud and
The bot was attempting to mimic human behavior, it was
The second attack associated with the Canary bot appears more sophisticated, unlike the previous one, it was changing the IP address and the user agent to mimicking real users having different mobile devices.
In this second attack, the bot was mimicking a different human
The second carding bot tracked as ‘Shortcut’ attempt to avoid the e-commerce website to evade detection.
“We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators.” state the researchers. “In general, our researchers have seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications.”
This second attack scenario leverages sees external third-party
The name “shortcut” comes after attackers directly access the payment services without passing through the e-commerce website.
Experts observed three attacks involving the Shortcut bot against three websites selling apparel, sportswear, and a grocery shop.
Experts explained that threat actors will continue to use carding bots to validate stolen card data, even if today is quite simple to detect them.
“To be prepared, e-commerce website owners can take a number of actions. Firstly, since legitimate consumers would probably never attempt payment with an empty cart, website owners can prevent users from getting to the payment page without an item in the cart.” concludes the experts. “This basic practice increases the effort required by bots and stops simple carding attacks. Secondly, with bots improving constantly and mimicking user behavior, e-commerce website owners should pay more attention to advanced automated threats.”