Carding Attack using module to bypass Capcha, checkout email verification

  • Resolved shmoogie007

    (@shmoogie007)


    1 year, 5 months ago

    Getting a new type of carding attack and it is somehow using this plugin/gateway to bypass all checkout security. Started about 48 hours ago. They are able to bypass capcha and even email verification to checkout. Which means they are somehow using this plugin to bypass the actual checkout. I have had to switch to our backup gateway/processor to stop the carding attacks. There seems to be no way of preventing them from abusing this.

    Below is a traffic path for one of the bots carding.

    Is there a fix for this? I have decently better rates and general fraud protection with Braintree versus my backup processor.

    Thanks

    Type: Bot

    Activity Detail

     Philadelphia, Pennsylvania, United States visited https://domain.com/checkout/

    11/21/2024 7:16:51 AM (3 minutes ago)  

    IP: 2601:4a:c800:620:551:9b94:27f:cd14 Block IP

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

    Recent Activity

    Time:

    4 minutes ago — Thu, 21 Nov 24 13:16:54 +0000 — 1732195014.944358 in Unixtime

    Seconds since last hit:

    3.6629

    URL:

    https://domain.com/wp-json/wc/store/checkout(opens in new tab)

    Type:

    Normal request

    Full Browser ID:

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

    Location:

     Philadelphia, Pennsylvania, United States

    Time:

    4 minutes ago — Thu, 21 Nov 24 13:16:51 +0000 — 1732195011.281483 in Unixtime

    Seconds since last hit:

    1.5249

    URL:

    https://domain.com/checkout/(opens in new tab)

    Type:

    Normal request

    Full Browser ID:

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

    Location:

     Philadelphia, Pennsylvania, United States

    Time:

    4 minutes ago — Thu, 21 Nov 24 13:16:49 +0000 — 1732195009.756588 in Unixtime

    Seconds since last hit:

    2.3886

    URL:

    https://domain.com/wp-json/wc/store/cart/select-shipping-rate(opens in new tab)

    Type:

    Normal request

    Full Browser ID:

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

    Location:

     Philadelphia, Pennsylvania, United States

    Time:

    4 minutes ago — Thu, 21 Nov 24 13:16:47 +0000 — 1732195007.368002 in Unixtime

    Seconds since last hit:

    0.8111

    URL:

    https://domain.com/wp-json/wc/store/cart/update-customer(opens in new tab)

    Type:

    Normal request

    Full Browser ID:

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

    Location:

     Philadelphia, Pennsylvania, United States

    Time:

    4 minutes ago — Thu, 21 Nov 24 13:16:46 +0000 — 1732195006.556870 in Unixtime

    Seconds since last hit:

    0.7742

    URL:

    https://domain.com/wp-json/wc/store/cart/add-item(opens in new tab)

    Type:

    Normal request

    Full Browser ID:

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

    Location:

     Philadelphia, Pennsylvania, United States

    Time:

    4 minutes ago — Thu, 21 Nov 24 13:16:45 +0000 — 1732195005.782703 in Unixtime

    Seconds since last hit:

    2.5645

    URL:

    https://domain.com/wp-json/wc/store/cart(opens in new tab)

    Type:

    Normal request

    Full Browser ID:

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

    Location:

     Philadelphia, Pennsylvania, United States

    Time:

    4 minutes ago — Thu, 21 Nov 24 13:16:43 +0000 — 1732195003.218205 in Unixtime

    URL:

    https://domain.com/wp-json/wc/store/products?stock_status=instock&order=asc&orderby=price&min_price=1&max_price=5000&type=simple&page=1&per_page=100(opens in new tab)

    Type:

    Normal request

    Full Browser ID:

    Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.80 Safari/537.36

    Location:

     Philadelphia, Pennsylvania, United States

Viewing 9 replies - 1 through 9 (of 9 total)
  • Zee

    (@doublezed2)

    1 year, 5 months ago

    Hello shmoogie007,

    Thank you for contacting WooCommerce support.

    I understand you’re experiencing a carding attack where bots are bypassing CAPTCHA and email verification.

    Since this concerns security, I recommend creating a support ticket via WooCommerce.com.
    This way our Happiness Engineers can look into this issue and guide you accordingly.

    Please share your ticket number here so I can make sure there is a swift follow-up.

    Have a great day!

    Gabriel Reguly

    (@gabriel-reguly)

    1 year, 4 months ago

    This can be a solution:

    https://www.denialdesign.co.uk/blocking-card-testing-attacks-in-woocommerce/

    Source: https://ww.wp.xz.cn/support/topic/attcked-by-card-testing-decline-orders-with-origin-unknown/page/3/

    Looks like WooCommerce does not have a fix.

    https://ww.wp.xz.cn/support/topic/attacked-by-card-testing-origin-unknown/page/2/

    Mahfuzur Rahman

    (@mahfuzurwp)

    1 year, 4 months ago

    Hi @shmoogie007,

    Card testing is on the rise globally, especially during the holiday season. Our team is currently working on some solutions to help reduce the disruption it may cause. And we also recommend reviewing the steps in our doc on how to respond to card testing.

    Thread Starter shmoogie007

    (@shmoogie007)

    1 year, 4 months ago

    Thanks for the help. The problem is strictly with this plugin. I also see other reports of the same thing under the reviews now for this module. Seems there is no verification at the endpoint, which allows malicious traffic to bypass the checkout and still run cards. Basically ignoring any type of checkout security.

    I have had on/off carding issues over the years and basically now looks like all due to using this plugin.

    Braintree themselves are no longer recommending this module, I have switched away from it. Somebody should patch it. Turns out many of the carding problems I have had over the years are due to abuse of this plugin… Since I switched plugins, I have not had 1 issue of testing that general site security couldn’t block.

    Zee

    (@doublezed2)

    1 year, 4 months ago

    Hello shmoogie007,

    Thank you for your reply.

    I appreciate your for sharing your feedback with us.
    Braintree for WooCommerce has built-in fraud protection and verification tools.
    You can learn more about it here.

    It looks like you have switched to a different plugin for now.
    If you would like to pursue this matter I will be happy to investigate the issue.

    Best regards.

    djlam

    (@djlam)

    11 months, 1 week ago

    Hi @shmoogie007,

    Curious what plugin you switched away to? Like you, we have been experiencing the same issue periodically for several years, despite all the measures we’ve tried putting in place. This week we’ve been hit by the most persistent attack yet.

    Found your post here and similar threads in the Reviews area and as such, we are now suspecting that this plugin might be the culprit. Just wondering what you switched to as we are looking into alternatives.

    Thanks!

    Thread Starter shmoogie007

    (@shmoogie007)

    11 months, 1 week ago

    I switched to our backup processor on a different gateway. Problem seems to be this plugin does not verify endpoint, so basically malicious traffic can test cards, without actually going through the checkout, just by urls and scripts. Thus bypassing any kind of checkout security. I do not know if it was ever patched, for its a bit scary to leave running if nobody is watching.

    I have heard the new Woocommerce payments can connect to Braintree but have not verified.

    If you call or email Braintree, they did have different recommended modules, but I cannot find the list and PayPal is folding the support for Braintree into PayPal itself… so no easy link, sorry.

    I have had almost no CC testing since switching plugins, where before it was a daily issue.. feel silly for not switching plugins sooner.

    djlam

    (@djlam)

    11 months, 1 week ago

    Thank you for the information, very helpful and much appreciated!

    Moses M. (woo-hc)

    (@mosesmedh)

    11 months, 1 week ago

    Hi @shmoogie007,

    Thank you for the detailed explanation — I understand how urgent this issue is, especially after all the effort you’ve put in to get it resolved.

    As @doublezed2 previously mentioned, this appears to be a security-related issue. While card testing activity was notably higher around December and January due to the festive period, it’s likely calmed down now as we approach mid-year. To ensure this is properly addressed, I recommend opening a support ticket at WooCommerce.com so the appropriate team can investigate further.

    In the meantime, if you’ve found the plugin and the support here helpful aside from the card testing issue, we’d really appreciate your honest feedback in a review: Leave a review

    CC: @djlam @gabriel-reguly

Viewing 9 replies - 1 through 9 (of 9 total)

The topic ‘Carding Attack using module to bypass Capcha, checkout email verification’ is closed to new replies.