Financial institutions and e-commerce merchants have become targets of massive financial fraud as cyber criminals have used stolen payment card data from major data breaches1, such as the ones involving Wendy’s restaurants in 2015, Home Depot in 2014, and Target in 2013 to make illegal purchases online.
As brick-and-mortar stores move to EMV chip-based cards to secure payments using physical payment cards, criminals are turning to online fraud using Card-Not-Present (CNP)2transactions, which are less secure. The shopping cart checkout pages that accept online CNP payments are easily spoofed with stolen payment card data that includes card expiration date, card verification value (CVV), along with the card holder’s name and address to verify the validity of the card.
This blog investigates online payment card fraud on e-commerce and banking websites, and the use of automated web attack techniques such as Carding.3 It also provides insights into the type of web application firewall (WAF) and crowd-sourced threat intelligence necessary to proactively prevent such attacks, before fraud is committed.

$19B Total value of online credit card transactions at risk by 2018, while fraud at point-of-sale (POS) shrinks4

Monetizing stolen cards in carding forums
Let’s examine how the Carding4 kill-chain works. Payment cards stolen from various major breaches are sold in bulk on the online black market carding forums for as low as $5 per card. Cybercriminals use bitcoin to anonymously purchase large packs containing thousands of stolen cards for approximately $10 per card. Criminals employ botnets to validate these cards in bulk by making small transactions of less than $1 on obscure donation websites. Once they identify the subset of payment cards that are still active and not blocked by the issuing bank, they sell those cards back to carding forums at $20 per card to double their profits within minutes of their original purchase.
Cashing out like there is no tomorrow
Cybercriminals purchase such “validated” payment cards for as high as $50 to $100 per card, based on the credit limit available on each card. Next, they Cash-out4 these “validated” cards, by making large purchases on e-commerce websites. Here, the cyber attacker targets the check-out pages on multiple e-commerce websites using “validated” cards to make multiple large purchases worth thousands of dollars.

Cashing out can happen within hours or days after the initial data breach, before the card issuer gets notified by the merchant to block stolen cards!

WAF and threat intelligence to the rescue
 Cybercriminals who target payment and check-out pages for carding and cashing-out, by-pass perimeter controls that are based on black-listed IP addresses, by using botnets to do the heavy lifting or anonymous proxies to obfuscate the origin of the attack. The type of web application protection strategy required to proactively combat payment card attacks should include the following crowd-sourced threat intelligence feeds:

  1. Reputation intelligence: Malicious IP addresses which include known sources with a bad reputation, anonymous proxies, and TOR exit nodes.
  2. Bot intelligence: Proactive ways to detect unknown bots using client fingerprinting and CAPTCHA challenges to differentiate bots from humans.
  3. Crowd-sourcing: Capability to collect the latest attack data seen by anyone in the user community and sharing it with the rest of the community to prevent attacks from new sources.

Web application firewalls should provide the following advanced capabilities to proactively detect such attacks:

  1. Application Profiling: Dynamically detect application interfaces such as payment and check-out pages exposed by the web application and validate input parameters for those pages.
  2. Correlated Attack Validation: Configurable security policies that correlate multiple attack conditions and checks attack parameters against recent threats provided by crowd-sourced threat intelligence.
  3. Velocity Checks: Detect brute-force attacks launch by botnets, which enable cybercriminals to validate thousands of credit cards in bulk and quickly cash-out.

Preventing automated attacks with Imperva WAF
Imperva ThreatRadar intelligence services for the industry leading Imperva SecureSphere Web Application Firewall (WAF) proactively protect e-commerce and banking websites against payment card fraud through Carding and Cashing-out.
To learn how Imperva SecureSphere WAF enables you to mitigate the OWASP Top-20 automated attacks, see this whitepaper.
Download the infographic on Combatting Payment Carding Attacks with WAF and Threat Intelligence.
The Open Web Application Security Project published the OWASP Automated Threat Handbook5 in July 2015, which captures the top-20 ways automated attacks can the launched on websites to exploit business logic flaws in web applications. This blog, Combating Carding and Cashing-out, is the first of a three-part series covering, Combatting Credential Stuffing and Combatting Website Fingerprinting.
References:

  1. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  2. https://www.2checkout.com/ecommerce-glossary/card-not-present
  3. https://en.wikipedia.org/wiki/Carding_(fraud)
  4. Credit card fraud and id theft statistics
  5. OWASP Automated Threat Handbook for Web Applications v 1.0