Payment Monitoring Carding Robots Prior to Major Shopping Events

Carding Bots

As the main events of the holiday season end, cyber criminals often plan for pillage by validating their stolen card data with low-value shopping on store websites.

Two new carding bots are found using top e-commerce platforms and card payment provider APIs for websites or mobile applications.

Preparation for a spree shopping

Stolen payment card information is available in pads with the flood of data violations. Cyber criminals know that they can’t rely on the cards forever and that in a short time many will become invalid.

Criminals must check the authenticity of cards before carrying out or selling larger fraudulent transactions. This is automated by bots targeting smaller websites that typically lack anti-bot protection.

PerimeterX Web app security company researchers found two such carding attacks in advance of the vacation shopping season. Data from September shows that while legitimate traffic is declining, malicious traffic jets often soared to more than 700 million in anticipation of events such as Black Friday and Cyber Monday.


Carding bots increasing checkout page traffic

Ability to mimic human behaviors

One of the bots found by the company is’ Canary.’ At least 2 attacks based on a single e-commerce site used by thousands of companies have been identified, the scientists say.

“Malicious bots, like the canary carding bot, increase stolen card validation activity with small-value transactions leading up to the holidays. Canary carding bots explore well-known platforms and test their vulnerabilities to carding attacks to exploit a potentially large number of e-commerce website users.”

Researchers were able to detect a Canary bot attack based on inconsistencies in software, relative to what is normally seen with legitimate users.

The attack was informed by a version of a Safari browser from 2011 that changed IP addresses on a daily basis and spawned cloud and colocation services. Even strange, “was not setting the language of request and content type.” The bot, however, mimicked human behaviour, creating a shopping cart, adding products and including delivery information.

A second bot attack also relied on cloud services. Changing the IP address and the user agent to impersonate actual users with mobile devices took place more quickly.

Products were added to the cart directly, without first checking their pages and then jumping to checkout, a pattern that is incompatible with the human behaviour.


Canary carding bot attacks on sportswear website

Take a shortcut

PerimeterX’s second carding bot is called “Shortcut,” as it tries to avoid the website completely, thereby avoiding detection and mitigation options.

“We have found that in some cases, the attackers are discovering paths with API calls that are unknown to even the website operators. In general, our researchers have seen an increasing trend in API endpoint abuse to validate credit cards on the web and on mobile applications.”

What occurs when payments are done by external services. The third party system tracks the card via an API endpoint and returns a response. This workaround helps hackers to accomplish their objective without communicating with the web.

The method was used for three websites selling clothing, sportswear and food. In all cases the authenticity of the stolen cards was verified by a single path.


Shortcut carding bot activity on apparel website

Spotting activity of carding bot

Many attackers may use the same tools as they are popular for card data validity checks. Such approaches are unlikely to be discarded anytime soon.

While attempts to mimic human behaviour, it is not too difficult to recognize today’s behavior of carding bots. Transaction attempts with a empty cart is a sign of deceptive behavior, such as an increased number of transaction permits, a higher remittance rate or a lower average basket price than normal.

If these signs are accompanied by a common user agent, IP address, session or fingerprint machine, it is likely that a carding bot works.

PerimeterX recommends that you deny access to the payment page if your cart is empty. Although not all carding bots are stopped, it protects against the simpler ones. However, stronger defenses should be implemented.


Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards & w-se. Previously, he worked as a security news reporter.