PerimeterX Discovers New Silent Validation Carding Bot

Carding bots, automated software that validates stolen credit and debit card numbers, are a persistent threat to e-commerce businesses. Every dollar in fraud costs merchants $3.36 due to chargebacks, processing fees and replacement of lost merchandise — not to mention the negative brand association that customers have when they must cancel a stolen card that was used fraudulently on your site.

According to the 2022 Automated Fraud Benchmark Report, carding attacks have increased 111.6% YoY and are expected to cost businesses $130 billion by 2023. The PerimeterX research team discovered a new type of carding bot, dubbed the silent validation carding bot because of its method of validating cards without making a fraudulent purchase that might tip off cardholders or the e-commerce site owner.

What Happened

The silent validation carding bot targeted a top women’s clothing brand with a strong market presence in the U.S. and Canada. The attack was seen repeatedly in the last few weeks, reaching a peak on June 18 from 9:00 am – 9:00 pm UTC (4:00 am – 4:00 pm EST).

Bots carried out this attack on the wallet page, the part of the retailer’s website where users can enter payment information to store it in the account. The bots first logged into an account — either by taking over a legitimate user account or creating a fake one — and then navigated to the page.

Once the bad bots landed on the wallet page, they entered different credit, debit and gift card details into the stored payment settings. If the card was valid, the payment method was stored. If the card was not valid, users would receive an error message. This allowed attackers to test and validate cards on the site, without making a purchase.

In an effort to bypass (Read more...)