How To Stop Carding Fraud Attacks For WooCommerce

Credit card fraud is still on the rise, and bad actors are shifting their strategy to automated bot attacks that target WooCommerce stores. If you have not experienced a carding attack, we will give you a brief overview of what happens and the impact on your business and bottom line. It is a common fraud problem many shops will face, and having a plan before an attack will significantly reduce the costs of responding. Each payment attempt may bring a fee if you have a credit card processor that charges by these terms, which can quickly add up to thousands of dollars. Even worse, you can face a closure of your account if too much abuse happens. On forums, you can find many stories of merchants being closed or temporarily suspended from services such as Stripe due to a carding attack. Refunding the carded payments is one option, but it is highly manual, so we will look at best practices to prevent the attack.

Keep the Credit Card Scammers Out

First, the fraudsters can do large-scale crawling online, looking for WordPress-hosted websites using WooCommerce. Next, they will look for specific versions of WooCommerce that may have less protection or plugins you are using to plan their attack. They typically like to target stores that have digital delivery or high-value items that are available for resale. However, even more recently, we are seeing sites being surveyed by small-time fraudsters who then outsource the carding operation to more experienced botters. The fraudsters will then customize a bot to complete a checkout flow by auto-filling essential requirements and modifying details to get around any typical rate-limiting protection. These bots can create new orders using random IPs, addresses, names, emails, stolen credit card numbers, and more. Once the carding attacks start, your site will see a sudden surge in traffic as the fraudsters will try to complete as many orders as possible before you detect it. Recovering from a carding attack takes more resources than blocking it. To help you protect your store, we have a few suggestions that will significantly increase your defenses and deter any attacks.

The first line of defense usually starts at the security level of your website, which can be a firewall or bot protection service. These providers, like Cloudflare, have a few tools that will automatically stop specific bots from attacking your checkout process. Many settings should be enabled for optimal protection. Typically, the Pro subscription is needed for minimal prevention as the free level will not help much in carding attacks unless you update firewall rules to target it. Wordfence is another option, but we typically recommend it at earlier traffic points like CloudFlare or Datadome. If you add Wordfence we recommend their Premium and above packages to block more bots. Carding attacks can appear similar to DDoS attacks, and similar mitigations can be put in place with Cloudflare.

1. Enable bot management to prevent apparent bots. However, ensure your webhooks and other payment notifications are not blocked by Optimizing for Wordpress. If you have the Business plan, you can whitelist specific URL paths to get around this issue; otherwise, allowing by IPs is possible.

2. Next, create rate limiting rules within Cloudflare and find help using a rate limiter rule within WooCommerce. Adding rate limiting on Cloudflare is more critical, but the number of rules available will restrict you, so targeting the checkout URLs is essential. For cheaper rate limiting and more options, Google Cloud Armor can be used in conjunction with Cloudflare.

3. Another tip is to challenge any bad countries or internet providers you observe that are attacking your checkout process. Tor (T1) can be a starter for doing a managed challenge request. The attack may have a complex pattern, so it is crucial to craft a unique rule to mitigate it if there is an ongoing attack.

4. Other options for protection include adding a page rule under attack mode for the checkout endpoint. It is essential to look at Cloudflare analytics to determine the nature of the attack and then deploy certain Cloudflare protections as a first line of defense. Sometimes, the attack will be basic, and the same user agent or IP is used.

Another simple protection is adding reCAPTCHA protection using a plugin called WooCommerce Anti-Fraud. This will help protect against velocity attacks from bots that are carding and that have already got past the Cloudflare or firewall defense. There is even the ability to block carding attempts if the attack is from high-risk domains or countries with high fraud rates. Cloudflare Turnstile is another option for protection against velocity attacks and performs similarly to captchas but has more granular controls around how you want to challenge a user.

Now, there are two layers of defense, and it should stop the majority of bot attacks, but some specialized scripts may get through. There are captcha solvers as well as rotating proxy providers that can bypass Cloudflare protection. This is where additional plugins such as WooComerce Anti-Fraud excel at detecting and blocking carding attacks. Using the Anti-Fraud plugin, various settings can completely stop a bot.

1. Enabling the email verification setting will require the user to click a link in their email. Most bots are incapable of checking their email address and clicking the link to verify themselves.

2. Limit small payment amounts and put them in review. Many of the carding attacks are used to verify a credit card number, and they are only looking to do it for a small order amount.

3. Integrate with MaxMind for AI fraud detection. MaxMind has an extensive network of merchants using their tool, and many times, botters will use the same IP and device profiles across multiple eCommerce stores. By enabling the MaxMind check, you will have another layer to detect bots when they receive high-risk scores.

4. Blacklist specific order attributes. Sometimes, bots will not modify a particular aspect of their checkout and make it easy to block a basic bot. They may use the same phone, email, or name and attempt thousands of orders, but if you have that field on a denylist, it won’t be fulfilled.

5. Lastly, enable the Trust Swiftly settings with Anti-Fraud to add an extra layer of verifications. Carding bots cannot complete a verification on Trust Swiftly as most of them are standardized to autofill forms and do not complete extra verification steps. By having Trust Swiftly as a verification step before payment, the bots have no chance of abusing your checkout process. Trust Swiftly has over 15+ methods of verification that only humans can complete, and they add much-needed security, such as ID and selfie checks. Making the process expensive for bots will thwart their attack when they can not obtain the information for verification. We have seen Trust Swiftly preform the best among all these options as it provides the most complexity for a bot to complete. However, the combination of multiple tools will filter out earlier attacks.

6. Updates for 2024: Fraudsters are off to a quick start against sites. They use services to scan the web via Google and security tools to find targets. They then use webkit converters to tamper with payment attempts to your card processor. With each attack we are noticing the trends are more difficult to prevent right away. But a few more plugins are useful to stop them. First being Email verifications prior to ordering: WooCommerce Email Verification Plugin. Many times fraudsters are using random emails with no access to click them. They do this to get around any fraud detection tools you have in place. To require a verification prior to paying is another point to block the bots. Also blocking VOIP and free numbers is another method that helps. A custom setup with Twilio can check for VOIP numbers and block them from verifications https://www.twilio.com/code-exchange/lookup Using Trust Swiftly we automatically do this for you, however you may want to allow VOIP numbers but point them through more stringent verifications. Next, blocking disposable and temporary emails is another way to slow down the bots. (Block Temp Emails Wordpress)

Setting some WordPress changes can also reduce the number of bots but bring added friction, which could reduce orders. The first is to turn off guest checkout, which adds another step that a bot operator or fraudster would need to code for and causes complexity in the signup process. If you then add a spam check plugin such as Cleantalk, it will block bots that other WordPress stores already identify. Lastly, limiting low orders for low-value products can slow down some bots but is risky if you expect many orders.

The final defense of your payments can be at the processor level, such as Stripe, by enabling Radar rules. A 3D secure check for bot attacks will decrease the attempts and block many fraudulent charges. It is the same with AVS checks, but by the time you do these types of reviews, it is too late. Another typical pattern may be the identical BIN, which Stripe allows for custom rules to block. When you have limitations on the processor to block repeat payments, it can eventually stop the attack, but usually, the damage is already done. This is why it is more important to be proactive about carding attacks and be on top of any attacks. We also recommend setting up alerts to notify you about spikes in orders using a solution such as Advanced Notifications.

To conclude, there are varying levels of security that should be in place to prevent and respond to carding attacks on your WooCommerce store. The attacks can happen randomly and even be coordinated during spike holiday shopping to avoid their detection. Typically, fraudsters like to test out their stolen cards before the shopping season so they have a large arsenal ready for more significant purchases. It is critical to be aware of the types of fraud attacks and how to prevent them to maintain a healthy processor account and prevent increased chargebacks and decline rates. As seen, stopping the attacks before payment will be the best practice to save the most money for your eCommerce store.