And so it turns out we inadvertently designed the ultimate credit card testing tool.
A public facing credit card form, which DOES validate a card can be charged, but DOESNT charge it, meaning it's nearly invisible to the victims:
Conversation
Doesn't show up on printed statements, doesn't show up on internet banking, doesn't show up ANYWHERE except for a temporary "pending transaction" list with some more modern providers.
Best of all! It's from a known merchant (us) with well established reputation/history!
1
47
So these motherfuckers start running big batches of thousands of card tests against our signup page. Spam prevention is now spam magnet.
They do it via a distributed botnet masquerading as real users filling out/submitting the form, so there's basically no way of filtering.
1
2
69
Infrastructure team is trying everything but they're getting through all our honeypots, and we're losing our minds.
I'm going through our firewall logs looking at the requests and spot a couple of signatures which are easy to block. Then, all of a sudden there's a new spike
3
1
35
You can really easily pass CAPTCHAs using services such as 2captcha. Although it may not be always rentable, I guess it would have been the case here.
2
1
What about Recaptcha v3 + rate limits on the payment form route?
1
If you lie on your fingerprint + do some IP rotation, I don't feel like reCaptcha v3 will really help
1
IMO It's always a matter of rentability. Although it may not be rentable to pay Luminati for residential proxies when it comes to crawling (it depends the value of the data), I guess when it comes to credit card it becomes wort spending some $ on it.
1
you’re right! Last time I checked market value for a card was between $1 - $20 depending on the country, type of card etc. I guess making the process slow and expensive will lead the attacker the move to an easier target.
1
You, decreasing its rentability might make him move to another website, it's worth a try.