Decoding the Threat of Sophisticated Carding Attacks

The world of online commerce thrives on convenience, yet this convenience bears a significant cost. Behind the seamless transactions and effortless payments lies a serious threat to e-commerce security in the form of online payment fraud by cybercriminals. According to a recent report by Juniper Research , annual online payment fraud losses are expected to exceed $362 billion globally between 2023 to 2028, with losses of $91 billion in 2028 alone compared to $38 billion in 2023 , representing an expected increase of 140% within 5 years. Card-not-present (CNP) fraud, where stolen card details are used illegally for remote purchases, is a major contributor to these staggering losses. Carding or card cracking attacks serve as the initial stage in the chain of events that lead to CNP fraud and are a significant threat to the security and financial well-being of e-commerce organizations.

Carding Attacks 101

Carding attacks, also known as card cracking or card testing attacks, involve cybercriminals attempting to make fraudulent online purchases using stolen credit card data. The attackers automate this process by using bots to test a huge number of card details simultaneously on merchant websites.

The modus operandi is quite simple - bad bots attempt to make numerous automated small-value 'test' transactions on e-commerce sites using stolen card data. If a transaction is successful, it confirms that the card is valid and has sufficient balance. The fraudsters then move on to make larger fraudulent purchases using the verified card details or resell the validated card details on the dark web for profit.

Implications of Carding Attacks

Carding attacks not only inflict financial damage on businesses, but also erode consumer trust, potentially impacting brand reputation and long-term customer loyalty. The implications for online merchants can be devastating:

Revenue Loss and Chargebacks:

Successful carding attacks lead to monetary losses from fraudulent transactions as well as chargebacks levied by credit card companies. These costs can quickly pile up given the scale of automated bot attacks.

Brand Reputation Damage:

Payment fraud incidents can severely tarnish a brand's reputation and credibility, leading to loss of consumer trust and loyalty. Companies are then forced to invest heavily in regaining customer confidence.

Operational Overheads:

Responding to large-scale carding attacks requires significant operational overhead in terms of incident response, investigation, user grievance handling, and making systems more secure.

Regulatory Penalties:

Failure to adequately protect customer data and prevent fraud can result in hefty fines and penalties from regulatory bodies, such as the Payment Card Industry Data Security Industry (PCI DSS) and the General Data Protection Regulation (GDPR).

Anatomy Of a Massive Carding Attempt: Case Study

One prominent global e-commerce customer of Radware recently had a close brush with a large-scale carding attack orchestrated by cybercriminals.

Over the duration of the attack, the payment gateway of the e-commerce giant was subjected to almost 4 million carding attempts over a period of 2 weeks. An average of 250k attempts were recorded per day, with the attack source being distributed among ~88k unique IPs across multiple geographies.

In an attack pattern consistent with that seen in large-scale carding attacks, the botnet used an automated script to repeatedly attempt payment transactions for a low-value product on the e-tailer's platform. To evade traditional detection methods, the botnet utilized a distributed IP network and geo-locations to orchestrate the attack. A human user would have been allowed to the logical next step of verifying card details and processing the payment, but based on certain behavioral indicators, the traffic from these bad bots were flagged as malicious and blocked by the bot management solution.

The bot hits were flagged for malicious intent because its behavioral pattern and signatures differed from that of regular human shoppers. For example, every time a suspected transaction was blocked, the same transaction was attempted through a different IP address within a matter of seconds. To bypass traditional detection methods, transaction attempts were repeated for the same IP address only after a gap of ~10 hours. This pattern was repeated consistently on the same three time-windows on each day of the attack period, while rapidly rotating through unique IP addresses in an indicator of automated, script-driven behavior.

The bot attack was targeted through more than 320 IP subnet series, each consistently recording ~6k hits from the 255 unique IP addresses contained within. The IP addresses were also routed through ISPs hosted in different geographies to avoid raising suspicion.

The attack was distributed through IPs across multiple geographies to bypass the location-based detection and rate limits used by traditional bot mitigation solutions. Peak bad bot activity was observed from IPs based in the United States, which was the origin for ~1.5 million bad bot hits from ~34k unique IPs. Russia and Hong Kong were the other major sources of bad bot traffic observed from this attack.

Potential Losses for Businesses in Carding Attacks

With the growing frequency of such carding attacks and the increasing use of AI to drive these attacks, the potential revenue losses for retail businesses are massive. Chargeback fees per transaction, incurred due to disputes raised by attack victims, can typically range from $15 to $50 depending on the payment processor or acquiring bank. But the true cost of chargebacks for retailers which includes fees, fines, operational costs, and more, is often up to 2.5 times the transaction value.

Beyond these costs also lies the long-term repercussions of chargebacks in the form of reputational damage and the risk of losing credibility with financial institutions. Frequent chargebacks make it more challenging to acquire or retain customers and can lead to payment processors blocking otherwise legitimate transactions due to suspicious activity, imposing additional fines, or in rare cases even terminating the merchant account.

In the case of this attack on our customer, considering an attempted per-transaction value of $5, the true cost of each chargeback could range up to $12.5 for every successful card transaction in the attack. Assuming even a 1% success rate from the ~4 million carding attempts, just the potential revenue loss for the customer in this attack would be in the range of $500k.

How the Radware Bot Manager Defends Against Carding Attacks

The Radware Bot Manager employs a proactive multi-layered attack detection and mitigation process to protect customers from the kind of sophisticated, persistent bots seen in such large-scale carding attacks.

In the case of this attack, the Radware Bot Manager solution was able to identify the characteristics of the bot threat very early on in the attack cycle by leveraging the capabilities of its AI-powered behavioral-based detection engine. Despite the botnet adopting a distributed, low-and-slow attack approach to evade detection, the Radware Bot Manager was able to accurately evaluate its behavior to identify the intent and block the threat in real-time. Traditional rate limiting policies would not have been triggered in this attack scenario because of the distribution and interval of requests, making them ineffective in mitigating such sophisticated carding attacks.

Here's how the Radware Bot Manager can help organizations mitigate such attacks :

1. AI-Powered Advanced Behavioral Detection: The Radware Bot Manager employs proprietary AI-powered algorithms and Intent-based Deep Behavioral Analysis (IDBA) to accurately identify the intent of highly sophisticated bot traffic that mimic advanced human-like interactions. The Rotator bot detection module uses these algorithms to identify and mitigate sophisticated bots that attack by rotating their IP addresses, as seen in the case of this attack.
2. Ability to Handle Bot Traffic in Multiple Ways: By allowing custom actions based on bot signatures such as using a 'feed fake data' method to feed fake pricing and product information to malicious bots from competitors, or by diverting bad bot traffic into a Redirect Loop, the Radware Bot Manager provides the flexibility to opt for a wide array of mitigation responses to a bot attack.
3. CAPTCHA-less Mitigation: For a seamless and CAPTCHA-free user experience, the Radware Bot Manager uses a Blockchain-based Cryptographic challenge mitigation method that detects anomalies from baseline behavior and requires bad bots to keep solving CPU-intensive browser-based challenges with gradually increasing difficulty until the attack is stopped.
4. Mobile Application Protection Capabilities: To protect against bot attacks on native mobile apps, the Radware Bot Manager deploys integrated device authentication and secure user identity capabilities to filter and mitigate bad bot traffic from mobile devices in real-time. This ensures that only genuine devices access resources, negating bad bot attacks on mobile applications.
5. CAPTCHA Farm Detection: The Radware Bot Manager identifies CAPTCHA farm services by using advanced AI-powered algorithms that decode signals in the post-CAPTCHA solving stage. Once a CAPTCHA farm is detected, the source is kept in a continuous CAPTCHA loop that completely negates the malicious activity.
6. Transparent Reporting and Comprehensive Analytics: The Radware Bot Manager provides granular classification of different types of bots and offers clean analytics with transparent reporting for a clear understanding of web traffic. These insights are particularly useful for identifying user behavior or bot intent during carding or card-cracking attacks.

Combined, these capabilities allow the Radware Bot Manager to effectively detect and mitigate even the most distributed or large-scale automated carding attacks with high accuracy.

Source:

i) Online Payment Fraud: Market Forecasts, Emerging Threats & Segment Analysis 2023-2028

Public link

Please use the above public link if you want to share this noodl on another website.