PerimeterX research team uncovers two new carding bots: Thousands of e-commerce websites using top e-commerce platforms potentially at risk

The holiday season is around the corner, and this year e-commerce businesses are planning for a surge in sales. According to Business Insider, in 2018, holiday e-commerce sales were responsible for $126 billion, a 16.5% increase from the $108.2 billion generated in 2017. This year is shaping up to be big as well with increased consumer spending forecasted. Increases in spending will be accompanied by increases in cyber attacks as bad actors also prepare to profit from the holiday season.

While investigating these increasing attacks against checkout pages during the months leading into the holiday season, the PerimeterX research team uncovered two new carding bots. One of the new carding bots, dubbed the canary bot, exploits top e-commerce platforms, which could have a significant impact on thousands of websites if they are not blocked soon. The second carding bot, dubbed the shortcut bot, exploits the card payment vendor APIs used by a website or mobile app and bypasses the e-commerce website entirely.

Checkout Page Attack Trends for the Holiday Season

The PerimeterX research team investigates carding attacks as part of a wide range of bot attacks across many e-commerce, travel and hospitality, and consumer services via web and mobile applications that accept online payment transactions. This fall, we found some interesting trends in malicious carding attacks leading into the holiday season.

The graph below shows the checkout page traffic across PerimeterX customers for the month of September 2019. Real shoppers, as opposed to bad actors, tend to buy less before the holiday season. They save for the holiday season and wait for Black Friday and Cyber Monday discounts on big ticket items. It’s clear that just before the holiday season starts, there is a 15% drop in legitimate traffic, versus a significant uptick in malicious traffic—an increase of over 700%. This trend confirms that carding attackers are preparing for the holiday season.

Our team also observed that the regular checkout pattern of the human traffic increased during business hours, versus the pattern of the bot traffic, which had no correlation with the time of day.

In analyzing this traffic pattern, we have discovered two new malicious carding bots: canary carding bots and shortcut carding bots. In both types, we see the attackers testing their carding attack methods with increasing sophistication on every iteration.

The Canary Carding Bot

True to its name, the canary carding bot uses an attack method that reduces the risk of new attack discovery by slow rolling changes to a small subset of users to test checkout page defenses. Once the attackers find a successful final version of the bot, they execute a mass deployment to a larger set of e-commerce sites at a later point in time. The canary carding bot can exploit thousands of e-commerce sites since the attackers are specifically targeting the top e-commerce platforms used by thousands of businesses.

Malicious bots, like the canary carding bot, increase stolen card validation activity with small-value transactions leading up to the holidays. Canary carding bots explore well-known platforms and test their vulnerabilities to carding attacks to exploit a potentially large number of e-commerce website users.

Canary Carding Bot Attack #1

Here is one example of a recent canary carding bot attack targeting the checkout pages of e-commerce websites built on one of the leading e-commerce platforms.

The initial attack started as a primitive one and was conducted using an old Safari browser dating back to 2011 that would switch IPs every day and originate from cloud and colocation services. Real users rarely use cloud services for shopping. So these IPs coming from cloud and colocation services typically do not bring real paying customers. Other things the bots did that was atypical was not setting the request language and accepted content type.

The sophistication of this attack comes from their mimicking of user behavior. In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attack - all of the steps except for the carding attack exhibit normal user behavior through a website.

Canary Carding Bot Attack #2

The second attack happened closely on the heels of the failed first attempt. This time, it targeted a sporting goods e-commerce website that was using the same e-commerce platform.

This attack also used a relatively primitive bot, but was more sophisticated in terms of distribution, IP addresses and user agents—browsers and devices—— every few requests in an attempt to impersonate human traffic. Other interesting characteristics of the attack was the high enumeration on mobile devices and versions that both dated back more than just a few years. Typically paying customers will have more recent mobile devices with old versions being a rarity.

We see a common theme from the canary carding bot with the usage of cloud and colocation services. Again, these services are not the most reputable ones when it comes to paying customers. While somewhat similar in behavior they differed at this level by changing their IP and user agent at a higher rate in the hopes it would further obfuscate their signature.

This time the attack targeted only two paths, simply adding the product to the cart, skipping the product page and going to checkout. In general, the attackers used as few paths as possible to reduce the resource usage by bot infrastructure. While using fewer paths may seem like a good idea to avoid detection, the ultimate use of checkouts with small purchase amounts does trigger suspicious bot activity thresholds.

In the months leading into the holiday season, our research team has been seeing an increase in carding attacks on customers of this top ecommerce platform. We see the same attack patterns across multiple sites using various e-commerce platforms. The attack variations did not change much after the first two main revisions. However, we are certain the attackers will persist and target sites that don’t have adequate bot protection against carding attacks. The canary carding bot is taking advantage of the knowledge gained in recent attacks and possibly targeting thousands of sites built on popular e-commerce platforms.

The Shortcut Carding Bot

There may be no shortcuts to success, but this shortcut carding bot may have found one! Like every malicious bot, carding bots try to shorten their user flow and time on the target website or mobile app, avoiding detection and mitigation. The shortcut carding bots exploit the card payment vendor APIs used by a website or mobile app and bypass the target e-commerce website completely. Very neat trick indeed!

We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators. In general, our researchers have seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications.

E-commerce websites often use external services to handle the payment process. Some payment services prefer direct access through an API endpoint that verifies the credit card and returns an answer. This direct API call is attractive to the shortcut carding attackers who can validate cards without the need to put any product in the shopping cart or completing the billing process.

Shortcut Carding Bot Attack #1

Let’s look at a recent carding attack targeting APIs on a big apparel e-commerce website:

This carding attack was conducted using a diverse list of user agents centered around Internet Explorer including a mix of old and new versions.

The attack originated from multiple different networks utilizing several cloud and hosting providers, and the request did not define any accepted content which is typically anomalous.

What’s interesting about this attack is that it targeted only one path, a very simple one, that used a third party payment service: ***/creditcard/tokenize

By using this path, all the attackers needed to do was send credit card information and the service returned an answer if the card was valid or not.

The existence of this kind of shortcut path, which uses the payment vendor’s API, makes it easy on the carding bots but harder on the website owners. This is because the payment vendor’s API integration with e-commerce sites will have transaction volume limits as well as low chargeback thresholds. On top of the fines and chargebacks resulting from carding, if the fraudulent transactions exceed a threshold of 0.65% of the total transactions, the payment provider may stop working with the e-commerce site owner.

Shortcut Carding Bot Attack #2

Another similar attack happened on a large grocery e-commerce website at about the same time as the previous one.

This one also used a primitive bot, using a residential IP address and a single modern and popular user agent.

This attack however did have some anomalous HTTP headers on its requests giving a sign it was malicious.

Like in the previous case, this attack was targeting a single url: **/api/billing

By having a single path that enabled the bots to get quick and direct verification of the credit card, the website made it easier on the carding bots to quickly validate stolen credit cards using simple methods. Although this shortcut is usually an API endpoint, it could also be a path within the website structure that only bots can find.

Shortcut Carding Bot Attack #3

In the next example, we can see a recent carding attack on another sporting goods e-commerce website.

It also involved primitive methods, but this bot enumerates multiple user agents—mainly old ones—and uses diverse ASN networks, including Chinese telcos, cloud and co-located infrastructure.

The URL that was used was, again, too simple: /OrderShippingBillingView

The two main reasons for the recent increase in such shortcut carding bot attacks are as follows:

1. Increase in the number of e-commerce websites that use third-party payment services, and the increasing availability of payment services, including smaller payment processors that do lack good API controls.
2. Increase in the complexity of e-commerce websites, increasing burden on programmers, resulting in bad practices of unplanned and undocumented paths that become easy targets for malicious automated activity.

Conclusion

As the usage of credit cards for online purchases increases, so do carding attacks and the diversity of methods used by attackers, given the high rewards awaiting successful attackers. We are seeing an increase in these new types of attacks across multiple unrelated customers, indicating the quick evolution of these attack tools. The cybercrime world has evolved much like the software and cloud world has evolved. This is why we see more attacks using identical mechanisms and potentially multiple attackers using similar attack tools and targeting sites using the same platform. This dynamic is similar to competing startups that may be running their services on the same cloud vendor, and using the same open-source libraries.

To be prepared, e-commerce website owners can take a number of actions. Firstly, since legitimate consumers would probably never attempt payment with an empty cart, website owners can prevent users from getting to the payment page without an item in the cart. This basic practice increases the effort required by bots and stops simple carding attacks. Secondly, with bots improving constantly and mimicking user behavior, e-commerce website owners should pay more attention to advanced automated threats.

The PerimeterX research team continuously investigates carding attacks and all automated bot attacks to understand how they work and stay ahead of cybercriminals. The research team can predict the attackers’ next moves and provide the intelligence needed for protecting the leading and most reputable websites, mobile applications and APIs from sophisticated bot attacks.