At the minimum, the payment gateways earned fees on fraudulent transactions they should have prevented. In my opinion, the biggest issue is that the payment gateways basically open for business after thousands of fraudulent attempts to run what I assume were stolen credit cards. #Wow troubleshooting iptrace series#The IP trace showed a similar series of IPs, enough to suggest the same actor. The next attempt had an invoice featuring a fake address in New York. The invoices in question were filled out to look real, but a quick search revealed the fake address in Texas. I documented the “adventure” in a series of posts on LinkedIn because I knew that what I was seeing could not be the only incident despite WooCommerce saying they had not seen a similar exploit. Both our hosting (WPEngine) and WordFence extended efforts to quash this. This reply was modified 1 month ago by 2bearstudio. Figures crossed, hope one of my solution worked. During the maintenance mode, I disabled these 2 accounts.Īlong with few other security hardening, the attacked stopped today. These two accounts are left active with latest login date “August 17, 2022”. I cleaned up the spam orders but interestingly, noticed that during this attack, hacker created 2 account with user name “bbbbb.bbbbb” & “bbbbb.bbbbb-8431”. The site was attacked by a similar spam before, the attack is documented here. To my surprise, Wordfence couldn’t catch this. Guess it somehow triggered the add to cart button and then check out. 20 – 30 orders in every minute, even bypass the reCAPTCHA solution.īy checking the access log, I noticed that the bot access the product page directly, then checkout page. I absolutely believe this could be a security problem of WooCommerce. So if anyone who unfortunately run into similar attack, “Maintenance” mode can buy you some time. On the 2nd day, when attack started, I blocked few IPs and then put the site on maintenance because the site isn’t busy online store. I am able to use it to block and track how many continued attack. Thank you SO MUCH for the comment and helpful tips. They were more helpful than WooCommerce in every Wow! What a story. If you are using WordFence, send them an alert. One or both stuffed the scumbags ability to pull of the same BS. We did change our gateway, (fired Braintree) and there was a WooCommerce update. Since I had traced the IP of the original carding attack, I was able to match the new one up to the same scumbag. Since this site has a pretty robust level of security, I was able to flag the behavior and about a month later, the same IPs started generating a similar attack, but from a different address in a different region. There was still one dirty deed to be done and that was that Braintree shut down the account AFTER running the stolen credit cards 5200 times and held back the client’s funds for about a week. We ended up eating a few chargebacks that tricked, but didn’t loose any product or take a reputation hit. Fortunately for my client, this seemed to be a test of an exploit as the scumbag used a low-priced item. These seemed to be a probe of a WooCommerce defect, but WooCommerce/Automattic didn’t think so.ġ2 credit card transactions ran successfully out of 5200 attempts. At that time, the bad actor was able to spoof an invoice so that it recorded an item qty, but didn’t add the price up right. The same thing happened to a client site back in September 2021. To be clear, WordFence did not stop the exploit, but it did give me tools to trace the scumbag and block all associated IPS after the fact. #Wow troubleshooting iptrace free#Watch for similar invoices and if you don’t have a security plugin such as WordFence, get at least the free one installed so as to be able to trace and block what IPs you can identify. Be sure to check your failed messages related to any suspect invoices. Sounds like a carding attack is or was in progress.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |