CC "test transactions" attack

11 replies [Last post]
Arks's picture
Offline
Joined:
05/22/2010

For about a week I've been undergoing a horrible "attack" of some kind. Thousands of "test transactions" have been sent to my inn website CC processor, Authorize.net, using names like "Mary Doe" and "Simmons Simmons" and "Walter Walter". They all seem to be using legitimate CC numbers and addresses, but they all get rejected by Authorize for "suspicious activity".

The ONLY CC charges that are processed through Authorize are my inn charges through Reservation Key, so I have no idea if this is coming from my website or...who knows.

I haven't lost a penny, but there are 2 problems:

  1. I have to delete thousands of Auto-Receipt/Merchant Email Receipt emails daily from Authorize. I can't delete them in a batch because I have to scan through the email subjects to make sure I'm not deleting a legitimate email. So it takes about 5 minutes, twice a day.
  2. The CC processor (not Authorize...they just accept or decline the charge then pass it on to the processor) the processor is threatening to deactivate my account due to excessive fraud attempts.

I haven't figured out how to combat this yet. I've signed up for the Authorize expanded fraud detection thing, at another $10/month, and it lets me set a lot of filters so perhaps I can have it decline these attacks before they are forwarded to the card processor. I'll drop the $10/month thing after a couple of months, if the attacks stop by then.

So, just passing this along as something I've never seen before, and I'll update it as it progresses, in case it can help others. sad

__________________

All saints can do miracles, but few of them can keep hotel. ~ Mark Twain

 

Arks's picture
Offline
Joined:
05/22/2010

Just heard from someone on the ResKey forum saying he has started suffering the same sort of attack, with over 4000 test transaction emails coming from Authorize.

I haven't received any for a couple of days now. Don't know if it's because of stricter fraud settings I placed in Authorize, or if they just moved on to harass someone else.

Morticia's picture
Offline
Joined:
05/22/2008

Arks wrote:

Just heard from someone on the ResKey forum saying he has started suffering the same sort of attack, with over 4000 test transaction emails coming from Authorize.

I haven't received any for a couple of days now. Don't know if it's because of stricter fraud settings I placed in Authorize, or if they just moved on to harass someone else.

Does anyone else on here use Authorize without the RK connection? It would help to narrow down if the problem is on the Authorize server if people using Think or AvailabilityOnline were getting hit, too.

__________________

Never judge a person's story by the chapter you walked in on.

 

Arks's picture
Offline
Joined:
05/22/2010

Morticia wrote:

Does anyone else on here use Authorize without the RK connection? It would help to narrow down if the problem is on the Authorize server if people using Think or AvailabilityOnline were getting hit, too.

So far I've only heard of one other person facing this problem in the whole world, so unlikely that anybody here has faced it, regardless of what systems they use. I haven't seen an attack in a couple of days, but don't know if it's because of the increased fraud checks I implemented through Authorize, or if they just moved on to bother someone else.

JimBoone's picture
Offline
Joined:
12/18/2014

Concern for those of us that use the program, makes you wonder if someone has a way to hack into the system 

__________________

Jim & Maxine

 

seashanty's picture
Offline
Joined:
06/02/2008

Very Strange!

Probably totally unrelated but ... 

We have been getting donor emails from people wanting to sign up to make donations from their account to ours. These are people we have NO involvement with at all  ... and setting up such a monthly transfer means we have to give them our bank information. Tracing the IP addresses from their emails, they are all originating from Mexico. I believe it is an attempt to access our bank account. If you red through the donor request, they'll say they want to make a total donation of $5, spread out over a year. The treasurer wanted to start answering the emails when it was one or two, I told her absolutely not! Now it's multiplying. 

Then the infamous wire transfers and 'I'm sending you a big check but need some of the money paid back to me'.

I have shut down access to that donor page for now.

You have to be vigilant all the time!  

Arks's picture
Offline
Joined:
05/22/2010

Yes, I thought the same, that the "big boys" would jump on it and track it down and block it. Instead, all I got was a threat to cancel my account!

Yes I changed passwords, though they were already very secure, but I'd think if they had passwords and full access to the account, they'd do something more than a bunch of authorizations that produce no money and a lot of annoyance.

Arks's picture
Offline
Joined:
05/22/2010

Morticia wrote:

Are you actually getting reservations?

No, nothing is going through the reservation system. ResKey doesn't see any activity at all. Nobody else at ResKey has ever heard of anything like this before. It's like the submissions to the card processor are coming from somewhere else, not ResKey.

JimBoone wrote:

Seems like Authorize sends a test transaction before the transaction with a charge, seems I get some rejected due to fraud protection settings, but the test transaction is still sent, if that's the issue with your processor.

Yes, that seems to be what's happening. Just lots of test transactions and the processor is tired of them!

JimBoone wrote:

Can you tell if these attempts originate from a specific IP address or country, any chance of creating a block of that location through your website or a security plugin for WordPress? Seems like we have or had forum members that were knowledgeable in that area.

No, I'm not getting an IP address on them. All I get is the notice from Authorize that a test transaction was processed.

But in the Authorize fraud set up, I set it so once 25 transactions have come through in a 1 hour period, it automatically declines any more submissions within that one hour period. Like if 25 submissions are made between 6 a.m. and 6:05, it automatically declines all additional submissions until 7 a.m. So the processor doesn't ever see the ones that Authorize declines automatically.

Since I turned this on yesterday afternoon, there have been no more attacks. I'll monitor a few days and see. As it is now, some real guests might get declined if they try to make a reservation after the 1 hour rule kicks in, but I hope they will contact me, or try again later.

This is so annoying! I can only guess that, as suggested above, someone is just using me to test CC numbers they stole, to see if they are good numbers. Maybe they'll get tired and go bother someone else now!

JimBoone's picture
Offline
Joined:
12/18/2014

Morning Arks, more thoughts, seems like there are only two real choices for this actividy, either through Reservation Key (or some perhaps former reservation channel) or direct to your Authorize account, any chance someone was able to guess or hack into your login/password for either account (or your computer)? I assume you've already changed your login/passwords and scanned your own system with an anti-virus and or Malwarebytes or something similar. Really seems the big guys like the bank or Authorize would jump in to help, but I suppose it is easier for them to just leave it as the little guy's problem.

JimBoone's picture
Offline
Joined:
12/18/2014

Random thoughts: 

Seems like Authorize sends a test transaction before the transaction with a charge, seems I get some rejected due to fraud protection settings, but the test transaction is still sent, if that's the issue with your processor.

Can you tell if these attempts originate from a specific IP address or country, any chance of creating a block of that location through your website or a security plugin for WordPress? Seems like we have or had forum members that were knowledgeable in that area.

Would law enforcement be of any assistance, of course it could be more of a pain than a help.

 

Morticia's picture
Offline
Joined:
05/22/2008

Can you turn off authorize for a few days and do things manually? It sounds like stolen credit cards are being tested thru your reservation system.

Are you actually getting reservations?

I hate to suggest turning off your reservations for a day or two to break the cycle. Ask guests to call.

PhineasSwann's picture
Offline
Joined:
09/25/2012

FYI, we use Authorize.net through our ThinkReservations system and have not experienced a similar attack. 

__________________

Darren
Innkeeper & Owner

 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.