Two New Carding Bots Threaten E-Commerce Sites

Written by

Two new carding bots that pose a threat to e-commerce platforms have been detected at the start of the busiest shopping period of the year. 

The discovery was made by an eagle-eyed PerimeterX research team, which launched an investigation after the number of cyber-attacks against their own checkout pages surged.

One of the new carding bots, named the canary bot, specifically exploits top e-commerce platforms. The other bot, dubbed the shortcut bot, bypasses the e-commerce website entirely and instead exploits the card payment vendor APIs used by a website or mobile app.

Carding is a brute force attack on a retailer’s website using stolen credit cards or gift cards. Threat actors use carding to mass-verify millions of stolen credit cards and generate a list of valid credit cards.

The validated credit cards are then typically sold on the black market for around $45 each and exchanged for untraceable gift cards that enable the cyber-criminal to mask their identity. 

To verify the cards, the attackers usually make a low-cost purchase. Once validated, a card can then be used for big-ticket items, resulting in hefty losses, which are often covered by retailers and payment processors. 

The sophisticated canary bot identified by PerimeterX researchers is eerily good at aping human behavior. 

Describing an attack by the canary bot, researchers wrote: "In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attack—all of the steps except for the carding attack exhibit normal user behavior through a website."

As can be expected from its name, the shortcut bot takes a more direct approach, skipping out on adding products to the cart and completing the billing process in an attempt to avoid detection. 

"The shortcut carding bots exploit the card payment vendor APIs used by a website or mobile app and bypass the target e-commerce website completely," wrote researchers. "We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators."

Researchers said that they had seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications. They also witnessed an increase in these new types of attacks across multiple unrelated customers, indicating the quick evolution of these attack tools.

"This dynamic is similar to competing startups that may be running their services on the same cloud vendor, and using the same open-source libraries," wrote researchers. 

PerimeterX advised e-commerce website owners to prevent users from getting to the payment page without items in their cart to stop basic carding attacks. 

What’s hot on Infosecurity Magazine?