Card-tumbling, like its evil relatives of automated spam, script kiddies and privacy breaches, is not a problem to be solved, but is a fact of life on the internet.
Recently, new strategies for bad actors means that even if you thought you'd fixed this, you might need to review your defenses.
If you've got a publicly accessible contribution page using an on-site payment processor, there's a good chance that you're a target.
In case you've forgotten what 'card-tumbling' is: that's when a bad actor has acquired a collection of stolen/leaked credit cards and is testing them on your site to see which ones are valid (presumably, before trying to use them for fraudulent purchases).
Anatomy of recent attacks
Here's what we're seeing. It starts with a relatively innocuous request that fails - in our two examples, it was for $1234. About 40 minutes after that, the deluge begins, all for $10 amounts, but never more than 2 attempts from the same ip, all of which are from US-based ISPs. In our two observed cases, there were more than 100 mostly failed attempts.
Analysis
Both of these sites were standard CiviCRM contribution pages using the recommended/provided recaptcha configuration in CiviCRM. We also have firewall applications that block based on ip and activity.
Unfortunately, we know that the provided recaptcha in CiviCRM is version 2 and is susceptible to being bypassed by "bots", and it looks like that's what's going on here. The initial failed request is likely made by a human, and the returned cookie that has the authentication is then re-used by a bot farm for the subsequent automated requests.
In combination with the distributed nature of the requests, all from US ip addresses, our existing defenses failed.
To some degree, the bigger problem is that what makes a contribution page effective for fundraising (i.e. ease of use) is also what makes it easier to exploit.
Response
A relatively easy response in this case is to upgrade the CiviCRM-supplied recaptcha mechanism with Matt Wire's excellent form protection extension, which (among other things) includes support for recaptcha v3, which is reputedly more effective.
If you do that, here are some notes:
- The extension isn't installable from your website (yet), you need to download it (unless your managed host has made it available).
- When you install it, the link and page to the built-in CiviCRM recaptcha v2 configuration disappears and no longer functions. So don't just install it!
- It does copy over your v2 keys into it's own configuration, so you can just go to its configuration page, update the version to v3 and check the box for it to go.
- It has a collection of other form protection tools that you can also use, YMMV.
Here's more reading (from Karin Gerritsen).
It's a scary time of year, especially for those living the US, so I for one am grateful for community!
Comments
Thanks Alan & Karin!