Search This Blog

Showing posts with label Carding. Show all posts

Carding Bots Now Pose a Threat to E-Commerce Platforms

In a discovery made by the PerimeterX research team, two new "carding" bots that represent a threat to e-commerce platforms have been detected towards the beginning of the busiest shopping time of the year.

Carding is a 'brute force attack' on a retailer's site utilizing stolen credit cards or gift vouchers. Threat actors utilize carding to mass-confirm a large number of stolen credit cards and produce a list of authentic credit cards.

The validated credit cards are then commonly sold on the black market for around $45 each and traded for untraceable gift vouchers that empower the cyber-criminals to veil their identity.

One of the new carding bots, named the canary bot, explicitly abuses top e-commerce platforms. The other bot, called the shortcut bot, sidesteps the e-commerce website altogether and rather abuses the card payment vendor APIs utilized by a site or mobile application.

Portraying an attack by the canary bot, researchers stated: "In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attack—all of the steps except for the carding attack exhibit normal user behavior through a website."

The worldly canary bot recognized by PerimeterX researchers is frightfully great at aping human behavior. Researchers said that they had seen an 'increasing trend' in API endpoint abuse to approve credit cards on the web and on mobile applications.

They additionally saw an expansion in these new kinds of attacks over numerous unrelated customers demonstrating the speedy advancement of these attack tools.

All things considered, PerimeterX has advised e-commerce website proprietors to keep customers from getting to the payment page without items in their cart to stop fundamental carding attacks.

Cybercriminals Preferring Audio Skimmers Over Flash Skimmers

There has been a rapid increase in the number of web skimming attacks since the advancements in the technological sector; it also resulted in excessive activity in the black market of physical card skimming tools.
Web skimming attacks are designed to capture critical financial data and card details like the name of the holder and sensitive numbers. It is when attackers connect their spying tool to a point-of-sale system (PoS) or an ATM in order to get access to the data that is processed from credit/debit cards via these machines.
The ever evolving ways of web skimming are one of the reasons why it is thriving and remains undetected,  professionals skimmers have formed closed communities which are organized to coordinate during skimming processes and assist the cashers, decoders, engineers, extractors, and vendors with whatever they need.
Advanced Intelligence, a New York based fraud prevention company reported that the usual targets are gas stations, ATMs or PoS terminals. Skimming includes unauthorized access to sensitive financial information for which the cybercriminals mainly rely on upgrades and advancements in technology to produce and circulate products which are unassailable and undetectable.
Another variant includes Audio Skimmers, which have been known to exist since 2010 and the technique employed in Audio Skimming is said to be existing since 1992. The devices involved store the data and encrypt it to capture it in MP3 format. The threat rate of Audio Skimmers multiplies with the camera attached to capture the PIN number and acting as a video skimmer.
Commenting on the matter, Yelisey Boguslaskiy, director of security research at AdvIntel, said, "They use timing-calculating algorithms to “reed” the audio when the card is been scanned by the ATM, which allows them to decode a track in 1-2 seconds and immediately convert it into text format,"
"Russian-speaking real carding communities have traditionally been exclusive and tight-lipped regarding their skimming operations. Skimming developers form exclusive trusted underground criminal networks thereby connecting talented engineers, their trusted sellers, and wealthy carder buyers of such tools,” further added.