Possible fraud?

  • Resolved SRD75

    (@srd75)


    4 months, 2 weeks ago

    Hi,

    Stripe contacted us with a message:

    You reached out because you noticed a large number of errors on the Logs page of your Dashboard. After some investigation, we concluded that this was likely some variation on what is called a card testing attack. Normally, these attacks entail a series of attempted payments against stolen cards, the results of which the attacker uses to determine which of them are still active. The attacker would be able to gain some form of access to either your payment form or your API itself, and be able to automate the process of creating customers and attempting payments.

    In your case, it looks like, instead of attempting payments, they opted to create SetupIntents instead. SetupIntents is a feature by which you can save a card to a Customer object without creating a payment. SetupIntents must authorize a card for future payments before they can be attached; otherwise, it will fail. In this way, they are able to determine which cards are getting declined by their issuer and which ones are still active without making any payments.

    While this hasn’t yet caused you any financial damage, it would be prudent to investigate if there are any security vulnerabilities on your end. You may wish to re-roll your API keys just in case.

    Given that these customers and the subsequent SetupIntents are generated through your WooCommerce application, you may want to check with them to see if there’s anything that they need to check on their side. For now, you’ve elected to contact your developers first before proceeding.

    Can you provide some guidance on what we can do to resolve any intrusion?

    We’re running a Wordfence scan at the moment, but that scan never finishes, so we’re waiting on a response from Wordfence support.

    Help appreciated.

Viewing 2 replies - 1 through 2 (of 2 total)
  • LovingBro (woo-hc)

    (@lovingbro)

    4 months, 2 weeks ago

    Hi @srd75,

    Thanks for sharing the detailed context from Stripe, it is clear you are taking the right steps by investigating this early and being proactive about security. Activity like card testing can be unsettling, and it makes sense to want clarity on what WooCommerce can and cannot control in this situation.

    From the WooCommerce side, there is no built in functionality that creates SetupIntents on its own without a checkout or account related interaction. In most cases, behavior like this is triggered through either a compromised plugin, theme, custom code, or an exposed endpoint that is being abused by an automated script.

    A few important steps that are worth focusing on now. Rotating your Stripe API keys, as Stripe suggested, is a good precaution and helps immediately cut off any abused credentials. You can also review your Stripe logs to confirm the source and timing of the requests, which may help correlate them with site access logs from your host.

    On the WooCommerce and WordPress side, ensuring everything is fully up to date is key, including WooCommerce, WordPress core, your active theme, and all plugins. It is also recommended to temporarily disable non essential plugins and test, as compromised or outdated extensions are a common entry point. If you are using any custom code related to checkout, saved cards, or Stripe hooks, reviewing that carefully would be important as well.

    Wordfence or another security plugin can help, but if scans are not completing, your hosting provider may be in the best position to run a server level malware scan and review access logs. They can often identify suspicious IPs or scripts that WordPress level tools cannot see.

    WooCommerce also has a security overview here that may help guide further hardening steps: https://woocommerce.com/document/woocommerce-security-faq/#section-15, https://woocommerce.com/document/how-do-i-prevent-and-respond-to-card-testing-attacks/, and https://developer.woocommerce.com/2024/12/18/card-testing-attacks-and-the-store-api/

    If you uncover anything specific in the logs or see the activity continue after rotating keys and tightening access, feel free to share those details here and we can take a closer look together.

    Plugin Support Ejay F – a11n

    (@ejayfernandes)

    4 months ago

    It seems we haven’t heard back from you for a while, so I’ll go ahead and mark this thread as resolved. Feel free to reach out whenever you’re ready to continue.

    We’d really appreciate if you could take a moment to leave us a review: https://ww.wp.xz.cn/support/plugin/woocommerce/reviews/

Viewing 2 replies - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.