Eventually, though, other people caught on and created more spam sites - and at the start of 2018 we finally decided to validate credit cards in order to start a free trial.
No charge on signup, and no auto-charge at the end of trial. Just validation.
Spam solved! Until 2020
Conversation
At the start of this year, the strategy we used to get rid of one type of spammer... attracted a new type. Fuck me.
Now there's people who do a "big hack" of cards stored in plaintext somewhere, then try to sell them on the black market before the breach is up on
1
3
28
But you're a hacker, and you just got 100,000 credit card details from a database somewhere which you now want to sell on. The first question you're going to get to establish market value is... "how many of them work?"
1
31
And so it turns out we inadvertently designed the ultimate credit card testing tool.
A public facing credit card form, which DOES validate a card can be charged, but DOESNT charge it, meaning it's nearly invisible to the victims:
1
7
98
Doesn't show up on printed statements, doesn't show up on internet banking, doesn't show up ANYWHERE except for a temporary "pending transaction" list with some more modern providers.
Best of all! It's from a known merchant (us) with well established reputation/history!
1
47
So these motherfuckers start running big batches of thousands of card tests against our signup page. Spam prevention is now spam magnet.
They do it via a distributed botnet masquerading as real users filling out/submitting the form, so there's basically no way of filtering.
1
2
69
Infrastructure team is trying everything but they're getting through all our honeypots, and we're losing our minds.
I'm going through our firewall logs looking at the requests and spot a couple of signatures which are easy to block. Then, all of a sudden there's a new spike
3
1
35
You can really easily pass CAPTCHAs using services such as 2captcha. Although it may not be always rentable, I guess it would have been the case here.
2
1
What about Recaptcha v3 + rate limits on the payment form route?
1
If you lie on your fingerprint + do some IP rotation, I don't feel like reCaptcha v3 will really help
IMO It's always a matter of rentability. Although it may not be rentable to pay Luminati for residential proxies when it comes to crawling (it depends the value of the data), I guess when it comes to credit card it becomes wort spending some $ on it.
1
you’re right! Last time I checked market value for a card was between $1 - $20 depending on the country, type of card etc. I guess making the process slow and expensive will lead the attacker the move to an easier target.
1
Show replies


