Botnets and Fraud

Coordinated bot attacks are becoming increasingly common, and fraudsters have come up with all kinds of nefarious ways to use them. For merchants, the most dangerous botnet attacks are those that make use of stolen payment credentials to commit card-not-present fraud. When these transactions make it past the merchant’s anti-fraud tools and protocols, the cardholder will eventually find out and dispute the charges. Each fraudulent charge will then become a chargeback that the merchant will have no choice but to accept.

To stop true fraud chargebacks, you have to think proactively and figure out how to prevent them. Since botnets are capable of causing a huge and sudden spike in a merchant’s chargeback ratio, it’s essential for merchants to know what they look like, how to spot the warning signs that a botnet is targeting you, and what you can do avoid getting victimized by them.

What is a Botnet?

A botnet is a linked network of computers that are running automated scripts or malware programs, commonly known as “bots.” Hackers are capable of joining hundreds of compromised computers together to launch coordinated botnet attacks. By acting in concert, these botnets can inflict far more damage than any single computer running one instance of a malware program.

Botnets are commonly used for distributed denial of service (DDoS) attacks, where the networked computers send a barrage of connection requests to a single target server, overwhelming it and causing it to slow down or crash due to the excessive traffic.

It’s not unheard of for merchants to be the victims of DDoS attacks, but that’s not the kind of cyberattack that leads to chargebacks, at least not directly. The real threat to your revenue and merchant accounts comes when botnets join forces with payment card fraudsters.

How are Botnets Used to Commit eCommerce Fraud?

There are two well-known methods through which botnets can facilitate online fraud against merchants: either by performing credential stuffing attacks for the purpose of taking over user accounts, or by submitting large numbers of transactions to test the viability of stolen payment card credentials.

In a credential stuffing attack, the bots will attempt to log in to your ecommerce site by using multiple username and password combinations.

The fraudsters behind these attacks often feed the bots stolen credential data obtained on the dark web, which gives them a good chance of finding a successful set of credentials if they are able to persist long enough.

With hundreds of networked bots trying to log in every few seconds, there is potential for many customer account takeovers.

Botnets can be even more devastating when they’re used for card testing attacks. On the dark web and other illicit markets, it’s easy to find lots of stolen credit card numbers. The problem for fraudsters is that many of these cards have been reported stolen already and aren’t useable. To find out which cards are viable, the fraudster will attempt to make a small transaction, just to see if it will go through. If it does, the fraudster can probably use that card for a larger purchase.

When happens when a fraudster has a data dump containing thousands of sets of payment card credentials? They can use a botnet to make hundreds of card testing transactions in relatively short order. Each successful transaction, no matter how small, will count against the merchant’s chargeback ratio once it’s disputed—and crossing over the excessive chargeback threshold can be extremely costly for merchants.

How Can Merchants Protect Themselves from Botnet Attacks?

A combination of the right tools and practices can help you identify bot-initiated transactions and shut them down before they can be completed. Basic cybersecurity protocols like firewalls, CAPTCHA, and device printing should be used as these can help thwart unsophisticated botnet attacks.

One of the most effective tools against botnet attacks is velocity checking. Tools that include this function will warn you when too many transactions are coming in too quickly, putting a halt to automatic processing and allowing you to assess the situation. This can be critical in stopping card testing attempts before they result in completed transactions.

If it’s at all feasible for your customer base and order patterns, you may want to set a minimum dollar amount per order.

This can work wonders for deterring card testing attacks, as long as your business model will allow for it. Merchants who accept donations or set-your-own-price payments can be very attractive to card testing fraudsters, so consider setting minimum thresholds there as well.

It’s also important to screen entered payment card data for inconsistencies and fraud signs when they’re being entered for storage in the customer account, not just when a transaction is being processed. Fraudsters who engage in account takeover may load up their hacked accounts with stolen payment credentials for later use.

Conclusion

The strength of botnets is their sheer force of numbers—they can scale the number and frequency of attacks up exponentially, but they can’t outsmart tools that can identify inorganic network traffic patterns or telltale fraud indicators.

Fraud management is essential to any effective chargeback defense strategy, and it’s important to recognize that fraud attacks can come in the form of relentless automated processes. With sufficient knowledge and the right technological solutions, you can protect yourself.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions or requests for advice to: win@chargebackgurus.com