Carding Bots Now Pose a Threat to E-Commerce Platforms

In a discovery made by the PerimeterX research team, two new "carding" bots that represent a threat to e-commerce platforms have been detected towards the beginning of the busiest shopping time of the year.

Carding is a 'brute force attack' on a retailer's site utilizing stolen credit cards or gift vouchers. Threat actors utilize carding to mass-confirm a large number of stolen credit cards and produce a list of authentic credit cards.

The validated credit cards are then commonly sold on the black market for around $45 each and traded for untraceable gift vouchers that empower the cyber-criminals to veil their identity.

One of the new carding bots, named the canary bot, explicitly abuses top e-commerce platforms. The other bot, called the shortcut bot, sidesteps the e-commerce website altogether and rather abuses the card payment vendor APIs utilized by a site or mobile application.

Portraying an attack by the canary bot, researchers stated: "In this attack, the bots create a shopping cart, add products to the cart, set shipping information, and finally execute the carding attack—all of the steps except for the carding attack exhibit normal user behavior through a website."

The worldly canary bot recognized by PerimeterX researchers is frightfully great at aping human behavior. Researchers said that they had seen an 'increasing trend' in API endpoint abuse to approve credit cards on the web and on mobile applications.

They additionally saw an expansion in these new kinds of attacks over numerous unrelated customers demonstrating the speedy advancement of these attack tools.

All things considered, PerimeterX has advised e-commerce website proprietors to keep customers from getting to the payment page without items in their cart to stop fundamental carding attacks.