Cyber Crime

Crooks use carding bots to check stolen card data ahead of the holiday season

With the advent of this year’s holiday shopping season are cybercriminals are using carding bots to test stolen payment card data before using them.

Cybercriminals need to test the validity of the stolen card data before carrying out fraudulent transactions or selling them during the holiday shopping season. Cybercriminals are automating this process using carding bots that are able to make small purchases on smaller retailers’ websites.

“While investigating these increasing attacks against checkout pages during the months leading into the holiday season, the PerimeterX research team uncovered two new carding bots.” reads the analysis published by PerimeterX. “One of the new carding bots, dubbed the canary bot, exploits top e-commerce platforms, which could have a significant impact on thousands of websites if they are not blocked soon. The second carding bot, dubbed the shortcut bot, exploits the card payment vendor APIs used by a website or mobile app and bypasses the e-commerce website entirely.”

Researchers from PerimeterX spotted two such carding bots targeting e-stores running carding attacks ahead of the holiday shopping season.

The following graph shows the checkout page traffic across PerimeterX customers in September 2019.

Experts pointed out that real shoppers differ from bad actors because they make purchases less before the holiday season. Instead, the experts at PerimeterX observed a spike in malicious traffic before the holiday season, in some cases it has increased to over 700% since September.

The first bots called ‘Canary’ was observed in at least two attacks aimed at a particular e-commerce platform used by thousands of businesses.

“Canary carding bots explore well-known platforms and test their vulnerabilities to carding attacks to exploit a potentially large number of e-commerce website users.” continues the experts.

Researchers were able to detect the first Canary bot attack after noticing a Safari browser version from 2011 changing IP addresses on a daily basis and that originate from cloud and colocation services. 

The bot was attempting to mimic human behavior, it was creating a shopping cart, then it was adding products to it, and also providing shipping information.

The second attack associated with the Canary bot appears more sophisticated, unlike the previous one, it was changing the IP address and the user agent to mimicking real users having different mobile devices.

In this second attack, the bot was mimicking a different human behavior by adding the products directly to the cart, without checking their pages first, then jumping to check out page.

The second carding bot tracked as ‘Shortcut’ attempt to avoid the e-commerce website to evade detection.

“We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators.” state the researchers. “In general, our researchers have seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications.”

This second attack scenario leverages sees external third-party services handling payments. Attackers abuse API endpoint used these third-party services to validate credit cards.

The name “shortcut” comes after attackers directly access the payment services without passing through the e-commerce website.

Experts observed three attacks involving the Shortcut bot against three websites selling apparel, sportswear, and a grocery shop.

Experts explained that threat actors will continue to use carding bots to validate stolen card data, even if today is quite simple to detect them.

“To be prepared, e-commerce website owners can take a number of actions. Firstly, since legitimate consumers would probably never attempt payment with an empty cart, website owners can prevent users from getting to the payment page without an item in the cart.” concludes the experts. “This basic practice increases the effort required by bots and stops simple carding attacks. Secondly, with bots improving constantly and mimicking user behavior, e-commerce website owners should pay more attention to advanced automated threats.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – carding bots, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

1 hour ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.