08/14/2024 | Press release | Distributed by Public on 08/15/2024 04:09
The world of online commerce thrives on convenience, yet this convenience bears a significant cost. Behind the seamless transactions and effortless payments lies a serious threat to e-commerce security in the form of online payment fraud by cybercriminals. According to a recent report by Juniper Research , annual online payment fraud losses are expected to exceed $362 billion globally between 2023 to 2028, with losses of $91 billion in 2028 alone compared to $38 billion in 2023 , representing an expected increase of 140% within 5 years. Card-not-present (CNP) fraud, where stolen card details are used illegally for remote purchases, is a major contributor to these staggering losses. Carding or card cracking attacks serve as the initial stage in the chain of events that lead to CNP fraud and are a significant threat to the security and financial well-being of e-commerce organizations.
Carding attacks, also known as card cracking or card testing attacks, involve cybercriminals attempting to make fraudulent online purchases using stolen credit card data. The attackers automate this process by using bots to test a huge number of card details simultaneously on merchant websites.
The modus operandi is quite simple - bad bots attempt to make numerous automated small-value 'test' transactions on e-commerce sites using stolen card data. If a transaction is successful, it confirms that the card is valid and has sufficient balance. The fraudsters then move on to make larger fraudulent purchases using the verified card details or resell the validated card details on the dark web for profit.
Carding attacks not only inflict financial damage on businesses, but also erode consumer trust, potentially impacting brand reputation and long-term customer loyalty. The implications for online merchants can be devastating:
Successful carding attacks lead to monetary losses from fraudulent transactions as well as chargebacks levied by credit card companies. These costs can quickly pile up given the scale of automated bot attacks.
Payment fraud incidents can severely tarnish a brand's reputation and credibility, leading to loss of consumer trust and loyalty. Companies are then forced to invest heavily in regaining customer confidence.
Responding to large-scale carding attacks requires significant operational overhead in terms of incident response, investigation, user grievance handling, and making systems more secure.
Failure to adequately protect customer data and prevent fraud can result in hefty fines and penalties from regulatory bodies, such as the Payment Card Industry Data Security Industry (PCI DSS) and the General Data Protection Regulation (GDPR).
One prominent global e-commerce customer of Radware recently had a close brush with a large-scale carding attack orchestrated by cybercriminals.
Over the duration of the attack, the payment gateway of the e-commerce giant was subjected to almost 4 million carding attempts over a period of 2 weeks. An average of 250k attempts were recorded per day, with the attack source being distributed among ~88k unique IPs across multiple geographies.
In an attack pattern consistent with that seen in large-scale carding attacks, the botnet used an automated script to repeatedly attempt payment transactions for a low-value product on the e-tailer's platform. To evade traditional detection methods, the botnet utilized a distributed IP network and geo-locations to orchestrate the attack. A human user would have been allowed to the logical next step of verifying card details and processing the payment, but based on certain behavioral indicators, the traffic from these bad bots were flagged as malicious and blocked by the bot management solution.
The bot hits were flagged for malicious intent because its behavioral pattern and signatures differed from that of regular human shoppers. For example, every time a suspected transaction was blocked, the same transaction was attempted through a different IP address within a matter of seconds. To bypass traditional detection methods, transaction attempts were repeated for the same IP address only after a gap of ~10 hours. This pattern was repeated consistently on the same three time-windows on each day of the attack period, while rapidly rotating through unique IP addresses in an indicator of automated, script-driven behavior.
The bot attack was targeted through more than 320 IP subnet series, each consistently recording ~6k hits from the 255 unique IP addresses contained within. The IP addresses were also routed through ISPs hosted in different geographies to avoid raising suspicion.
The attack was distributed through IPs across multiple geographies to bypass the location-based detection and rate limits used by traditional bot mitigation solutions. Peak bad bot activity was observed from IPs based in the United States, which was the origin for ~1.5 million bad bot hits from ~34k unique IPs. Russia and Hong Kong were the other major sources of bad bot traffic observed from this attack.
With the growing frequency of such carding attacks and the increasing use of AI to drive these attacks, the potential revenue losses for retail businesses are massive. Chargeback fees per transaction, incurred due to disputes raised by attack victims, can typically range from $15 to $50 depending on the payment processor or acquiring bank. But the true cost of chargebacks for retailers which includes fees, fines, operational costs, and more, is often up to 2.5 times the transaction value.
Beyond these costs also lies the long-term repercussions of chargebacks in the form of reputational damage and the risk of losing credibility with financial institutions. Frequent chargebacks make it more challenging to acquire or retain customers and can lead to payment processors blocking otherwise legitimate transactions due to suspicious activity, imposing additional fines, or in rare cases even terminating the merchant account.
In the case of this attack on our customer, considering an attempted per-transaction value of $5, the true cost of each chargeback could range up to $12.5 for every successful card transaction in the attack. Assuming even a 1% success rate from the ~4 million carding attempts, just the potential revenue loss for the customer in this attack would be in the range of $500k.
The Radware Bot Manager employs a proactive multi-layered attack detection and mitigation process to protect customers from the kind of sophisticated, persistent bots seen in such large-scale carding attacks.
In the case of this attack, the Radware Bot Manager solution was able to identify the characteristics of the bot threat very early on in the attack cycle by leveraging the capabilities of its AI-powered behavioral-based detection engine. Despite the botnet adopting a distributed, low-and-slow attack approach to evade detection, the Radware Bot Manager was able to accurately evaluate its behavior to identify the intent and block the threat in real-time. Traditional rate limiting policies would not have been triggered in this attack scenario because of the distribution and interval of requests, making them ineffective in mitigating such sophisticated carding attacks.
Here's how the Radware Bot Manager can help organizations mitigate such attacks :
Combined, these capabilities allow the Radware Bot Manager to effectively detect and mitigate even the most distributed or large-scale automated carding attacks with high accuracy.
Source:
i) Online Payment Fraud: Market Forecasts, Emerging Threats & Segment Analysis 2023-2028