Crooks use carding bots to check stolen card data ahead of the holiday season

Pierluigi Paganini November 18, 2019

With the advent of this year’s holiday shopping season are cybercriminals are using carding bots to test stolen payment card data before using them.

Cybercriminals need to test the validity of the stolen card data before carrying out fraudulent transactions or selling them during the holiday shopping season. Cybercriminals are automating this process using carding bots that are able to make small purchases on smaller retailers’ websites.

“While investigating these increasing attacks against checkout pages during the months leading into the holiday season, the PerimeterX research team uncovered two new carding bots.” reads the analysis published by PerimeterX. “One of the new carding bots, dubbed the canary bot, exploits top e-commerce platforms, which could have a significant impact on thousands of websites if they are not blocked soon. The second carding bot, dubbed the shortcut bot, exploits the card payment vendor APIs used by a website or mobile app and bypasses the e-commerce website entirely.”

Researchers from PerimeterX spotted two such carding bots targeting e-stores running carding attacks ahead of the holiday shopping season.

The following graph shows the checkout page traffic across PerimeterX customers in September 2019.

carding bots

Experts pointed out that real shoppers differ from bad actors because they make purchases less before the holiday season. Instead, the experts at PerimeterX observed a spike in malicious traffic before the holiday season, in some cases it has increased to over 700% since September.

The first bots called ‘Canary’ was observed in at least two attacks aimed at a particular e-commerce platform used by thousands of businesses.

“Canary carding bots explore well-known platforms and test their vulnerabilities to carding attacks to exploit a potentially large number of e-commerce website users.” continues the experts.

Researchers were able to detect the first Canary bot attack after noticing a Safari browser version from 2011 changing IP addresses on a daily basis and that originate from cloud and colocation services. 

The bot was attempting to mimic human behavior, it was creating a shopping cart, then it was adding products to it, and also providing shipping information.

The second attack associated with the Canary bot appears more sophisticated, unlike the previous one, it was changing the IP address and the user agent to mimicking real users having different mobile devices.

In this second attack, the bot was mimicking a different human behavior by adding the products directly to the cart, without checking their pages first, then jumping to check out page.

The second carding bot tracked as ‘Shortcut’ attempt to avoid the e-commerce website to evade detection.

“We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators.” state the researchers. “In general, our researchers have seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications.”

This second attack scenario leverages sees external third-party services handling payments. Attackers abuse API endpoint used these third-party services to validate credit cards.

The name “shortcut” comes after attackers directly access the payment services without passing through the e-commerce website.

Experts observed three attacks involving the Shortcut bot against three websites selling apparel, sportswear, and a grocery shop.

Experts explained that threat actors will continue to use carding bots to validate stolen card data, even if today is quite simple to detect them.

“To be prepared, e-commerce website owners can take a number of actions. Firstly, since legitimate consumers would probably never attempt payment with an empty cart, website owners can prevent users from getting to the payment page without an item in the cart.” concludes the experts. “This basic practice increases the effort required by bots and stops simple carding attacks. Secondly, with bots improving constantly and mimicking user behavior, e-commerce website owners should pay more attention to advanced automated threats.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – carding bots, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment