Two New Carding Bots Threaten E-Commerce Sites

Two new carding bots that pose a threat to e-commerce platforms have been detected at the start of the busiest shopping period of the year. 

The discovery was made by an eagle-eyed PerimeterX research team, which launched an investigation after the number of cyber-attacks against their own checkout pages surged.

One of the new carding bots, named the canary bot, specifically exploits top e-commerce platforms. The other bot, dubbed the shortcut bot, bypasses the e-commerce website entirely and instead exploits the card payment vendor APIs used by a website or mobile app.

Carding is a brute force attack on a retailer’s website using stolen credit cards or gift cards. Threat actors use carding to mass-verify millions of stolen credit cards and generate a list of valid credit cards.

The validated credit cards are then typically sold on the black market for around $45 each and exchanged for untraceable gift cards that enable the cyber-criminal to mask their identity. 

To verify the cards, the attackers usually make a low-cost purchase. Once validated, a card can then be used for big-ticket items, resulting in hefty losses, which are often covered by retailers and payment processors. 

The sophisticated canary bot identified by PerimeterX researchers is eerily good at aping human behavior. 

Describing an attack by the canary bot, researchers wrote: "In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attack—all of the steps except for the carding attack exhibit normal user behavior through a ..

Support the originator by clicking the read the rest link below.