Carding bots, automated software that validates stolen credit and debit card numbers, are a persistent threat to e-commerce businesses. Every dollar in fraud costs merchants $3.36 due to chargebacks, processing fees and replacement of lost merchandise — not to mention the negative brand association that customers have when they must cancel a stolen card that was used fraudulently on your site.
According to the 2022 Automated Fraud Benchmark Report, carding attacks have increased 111.6% YoY and are expected to cost businesses $130 billion by 2023. The HUMAN Satori Threat Intelligence and Research team discovered a new type of carding bot, dubbed the silent validation carding bot because of its method of validating cards without making a fraudulent purchase that might tip off cardholders or the e-commerce site owner.
What Happened
The silent validation carding bot targeted a top women’s clothing brand with a strong market presence in the U.S. and Canada. The attack was seen repeatedly in the last few weeks, reaching a peak on June 18 from 9:00 am - 9:00 pm UTC (4:00 am - 4:00 pm EST).
Bots carried out this attack on the wallet page, the part of the retailer’s website where users can enter payment information to store it in the account. The bots first logged into an account — either by taking over a legitimate user account or creating a fake one — and then navigated to the page.
Once the bad bots landed on the wallet page, they entered different credit, debit and gift card details into the stored payment settings. If the card was valid, the payment method was stored. If the card was not valid, users would receive an error message. This allowed attackers to test and validate cards on the site, without making a purchase.
In an effort to bypass detection mechanisms, the attackers used the puppeteer headless browser and created a distributed attack originating from up to 50 different fingerprints, IP addresses and user agents. The below graph demonstrates this, showing the high variability of IP addresses and user agents sending malicious requests to the targeted areas of the site.
Fortunately for this e-commerce brand, HUMAN Bot Defender stopped the attack before any fraudulent transactions occurred. If the attack had been successful, the validated cards could have been used to make fraudulent purchases on this site and countless others. Carding attacks lead to financial losses from chargebacks and processing fees, increased calls to customer support teams and unexpected costs to replace lost merchandise. And even if a transaction is blocked, canceled or refunded on one site, the stolen payment data can still be used elsewhere unless the card company intervenes and cancels the card.
Why It Matters
Most carding attacks follow a similar pattern: cybercriminals program bots to attempt small purchases with stolen credit, debit and gift card data. If the transaction goes through, the fraudster knows that the card is valid. Valid cards can be used to make larger purchases of goods or gift cards, or resold on the dark web for a higher profit.
The only issue for cybercriminals is that cardholders may be tipped off that their card was stolen, either via real-time usage alerts or on their monthly credit card statement. If a cardholder sees an unrecognizable purchase, they may realize what happened and cancel the card before more damage is done. This renders the card unusable by the cybercriminal.
The silent validation bot gets around this by validating cards without actually making a purchase. Cybercriminals realized that the wallet page on this e-commerce website checked the validity when they attempted to store a payment method. This allowed them to launch larger carding attacks or commit fraud without tipping off card-owners until after the attack was complete, allowing a greater level of theft to occur.
Future Implications
The silent validation bot demonstrates that focusing only on transaction fraud isn’t enough to avoid today’s increasingly sophisticated carding attacks. In the example, the e-commerce site conflated having a valid payment method with making a valid transaction. In an effort to weed out fraudulent transactions with fake cards, they put their focus on making sure stored payment methods were valid at the expense of evaluating whether users were legitimate.
Furthermore, inputting a payment method on the wallet page required users to login in — meaning the bad bots either took over a legitimate account or created a fake account to commit the silent validation attack. Once again, the site ignored these early warning signs because they didn’t immediately result in financial fraud, even though the fraudsters were setting up future attacks.
The silent validation attack didn’t follow the usual sequence of events involved in carding fraud. This shows that cybercriminals are becoming increasingly creative in their attack methods. We expect future attacks to show up in unexpected ways as attackers adapt their methods to evade current detections.
How to Stop Silent Validation Carding Attacks
Traditional e-commerce security approaches are no longer enough to prevent automated fraud. Instead, a comprehensive and layered defense model is needed to detect and mitigate fraud at every phase.
Here are 3 steps online brands can take to avoid this type of attack:
-
Establish an early warning system to flag and prevent logins with credentials that have been compromised in attacks across the web. Since many people reuse passwords, this is an important step to proactively stop bots from accessing accounts — and then making purchases from those accounts — on your site.
-
Implement a bot management solution to block real-time credential stuffing, account takeover (ATO) and carding attacks. When bots are blocked at login, they can’t even get to the stage of making fraudulent purchases with a compromised account. And blocking bots at checkout stops fraudulent transactions that might occur when login isn’t required.
-
Continuously evaluate users’ activity post-login to detect and stop fraudulent behavior within the account, such as changing ship-to address, emptying accounts of credits, disabling multi-factor authentication (MFA) or adding multiple new payment methods in a short time span.
This one-two-three punch safeguards users’ account and payment information everywhere throughout their digital journey. Rather than relying solely on payment fraud solutions to catch fraudulent transactions at the point of credit card transaction, comprehensive account protection enables online businesses to get ahead of fraud before it occurs.
