Financial institutions and e-commerce merchants have become targets of massive financial fraud as cyber criminals have used stolen payment card data from major data breaches, such as the ones involving Wendy’s restaurants in 2015, Home Depot in 2014, and Target in 2013 to make illegal purchases online.
As brick-and-mortar stores move to EMV chip-based cards to secure payments using physical payment cards, criminals are turning to online fraud using, the less-secure, Card-Not-Present (CNP) transactions. The shopping cart checkout pages that accept online CNP payments are easily spoofed with stolen payment card data that includes card expiration date, card verification value (CVV), along with the card holder’s name and address to verify the validity of the card.
Criminals are also using automated web attack techniques such as Carding (the trafficking of credit card, bank account and other personal information online) to carry out online payment card fraud on e-commerce and banking websites.
The Carding kill-chain works when payment cards stolen from various major breaches are sold in bulk on the online black market carding forums for as low as $5 per card. Cybercriminals use bitcoin to anonymously purchase large packs containing thousands of stolen cards for approximately $10 per card. Criminals employ botnets to validate these cards in bulk by making small transactions of less than $1 on obscure donation websites. Once they identify the subset of payment cards that are still active and not blocked by the issuing bank, they sell those cards back to carding forums at $20 per card to double their profits within minutes of their original purchase.
Cybercriminals purchase such “validated” payment cards for as high as $50 to $100 per card, based on the credit limit available on each card. Next, they Cash-out these “validated” cards, by making large purchases on e-commerce websites. Here, the attacker targets the check-out pages on multiple e-commerce websites using “validated” cards to make multiple large purchases worth thousands of dollars. Cashing out can happen within hours or days after the initial data breach, before the card issuer gets notified by the merchant to block stolen cards.
Cybercriminals who target payment and check-out pages for carding and cashing-out, by-pass perimeter controls that are based on black-listed IP addresses, by using botnets to do the heavy lifting or anonymous proxies to obfuscate the origin of the attack. The type of web application protection strategy required to proactively combat payment card attacks should include the following crowd-sourced threat intelligence feeds:
Reputation intelligence: Malicious IP addresses which include known sources with a bad reputation, anonymous proxies, and TOR exit nodes.
Bot intelligence: Proactive ways to detect unknown bots using client fingerprinting and CAPTCHA challenges to differentiate bots from humans.
Crowdsourcing: Capability to collect the latest attack data seen by anyone in the user community and sharing it with the rest of the community to prevent attacks from new sources.
Web application firewalls should provide the following advanced capabilities to proactively detect such attacks:
Application profiling: Dynamically detect application interfaces such as payment and check-out pages exposed by the web application and validate input parameters for those pages.
Correlated attack validation: Configurable security policies that correlate multiple attack conditions and checks attack parameters against recent threats provided by crowd-sourced threat intelligence.
Velocity Checks: Detect brute-force attacks launched by botnets, which enable cybercriminals to validate thousands of credit cards in bulk and quickly cash-out.