Quantcast

CC "test transactions" attack

INNspiring.com | Innkeeper Forum & Innkeeping Resources

Help Support INNspiring.com | Innkeeper Forum & Innkeeping Resources:

Arks

Well-known member
Joined
May 22, 2010
Messages
6,111
Reaction score
128
For about a week I've been undergoing a horrible "attack" of some kind. Thousands of "test transactions" have been sent to my inn website CC processor, Authorize.net, using names like "Mary Doe" and "Simmons Simmons" and "Walter Walter". They all seem to be using legitimate CC numbers and addresses, but they all get rejected by Authorize for "suspicious activity".
The ONLY CC charges that are processed through Authorize are my inn charges through Reservation Key, so I have no idea if this is coming from my website or...who knows.
I haven't lost a penny, but there are 2 problems:
  1. I have to delete thousands of Auto-Receipt/Merchant Email Receipt emails daily from Authorize. I can't delete them in a batch because I have to scan through the email subjects to make sure I'm not deleting a legitimate email. So it takes about 5 minutes, twice a day.
  2. The CC processor (not Authorize...they just accept or decline the charge then pass it on to the processor) the processor is threatening to deactivate my account due to excessive fraud attempts.
I haven't figured out how to combat this yet. I've signed up for the Authorize expanded fraud detection thing, at another $10/month, and it lets me set a lot of filters so perhaps I can have it decline these attacks before they are forwarded to the card processor. I'll drop the $10/month thing after a couple of months, if the attacks stop by then.
So, just passing this along as something I've never seen before, and I'll update it as it progresses, in case it can help others.
 

GoodScout

Well-known member
Supporting Member
Joined
Sep 25, 2012
Messages
1,051
Reaction score
156
FYI, we use Authorize.net through our ThinkReservations system and have not experienced a similar attack.
 

Morticia

Administrator
Staff member
Administrator
Moderator
Joined
May 22, 2008
Messages
17,350
Reaction score
222
Can you turn off authorize for a few days and do things manually? It sounds like stolen credit cards are being tested thru your reservation system.
Are you actually getting reservations?
I hate to suggest turning off your reservations for a day or two to break the cycle. Ask guests to call.
 

JimBoone

Well-known member
Joined
Dec 18, 2014
Messages
1,022
Reaction score
45
Random thoughts:
Seems like Authorize sends a test transaction before the transaction with a charge, seems I get some rejected due to fraud protection settings, but the test transaction is still sent, if that's the issue with your processor.
Can you tell if these attempts originate from a specific IP address or country, any chance of creating a block of that location through your website or a security plugin for WordPress? Seems like we have or had forum members that were knowledgeable in that area.
Would law enforcement be of any assistance, of course it could be more of a pain than a help.
 

Arks

Well-known member
Joined
May 22, 2010
Messages
6,111
Reaction score
128
Morticia said:
Are you actually getting reservations?
No, nothing is going through the reservation system. ResKey doesn't see any activity at all. Nobody else at ResKey has ever heard of anything like this before. It's like the submissions to the card processor are coming from somewhere else, not ResKey.
JimBoone said:
Seems like Authorize sends a test transaction before the transaction with a charge, seems I get some rejected due to fraud protection settings, but the test transaction is still sent, if that's the issue with your processor.
Yes, that seems to be what's happening. Just lots of test transactions and the processor is tired of them!
JimBoone said:
Can you tell if these attempts originate from a specific IP address or country, any chance of creating a block of that location through your website or a security plugin for WordPress? Seems like we have or had forum members that were knowledgeable in that area.
No, I'm not getting an IP address on them. All I get is the notice from Authorize that a test transaction was processed.
But in the Authorize fraud set up, I set it so once 25 transactions have come through in a 1 hour period, it automatically declines any more submissions within that one hour period. Like if 25 submissions are made between 6 a.m. and 6:05, it automatically declines all additional submissions until 7 a.m. So the processor doesn't ever see the ones that Authorize declines automatically.
Since I turned this on yesterday afternoon, there have been no more attacks. I'll monitor a few days and see. As it is now, some real guests might get declined if they try to make a reservation after the 1 hour rule kicks in, but I hope they will contact me, or try again later.
This is so annoying! I can only guess that, as suggested above, someone is just using me to test CC numbers they stole, to see if they are good numbers. Maybe they'll get tired and go bother someone else now!
 

JimBoone

Well-known member
Joined
Dec 18, 2014
Messages
1,022
Reaction score
45
Morticia said:
Are you actually getting reservations?
No, nothing is going through the reservation system. ResKey doesn't see any activity at all. Nobody else at ResKey has ever heard of anything like this before. It's like the submissions to the card processor are coming from somewhere else, not ResKey.
JimBoone said:
Seems like Authorize sends a test transaction before the transaction with a charge, seems I get some rejected due to fraud protection settings, but the test transaction is still sent, if that's the issue with your processor.
Yes, that seems to be what's happening. Just lots of test transactions and the processor is tired of them!
JimBoone said:
Can you tell if these attempts originate from a specific IP address or country, any chance of creating a block of that location through your website or a security plugin for WordPress? Seems like we have or had forum members that were knowledgeable in that area.
No, I'm not getting an IP address on them. All I get is the notice from Authorize that a test transaction was processed.
But in the Authorize fraud set up, I set it so once 25 transactions have come through in a 1 hour period, it automatically declines any more submissions within that one hour period. Like if 25 submissions are made between 6 a.m. and 6:05, it automatically declines all additional submissions until 7 a.m. So the processor doesn't ever see the ones that Authorize declines automatically.
Since I turned this on yesterday afternoon, there have been no more attacks. I'll monitor a few days and see. As it is now, some real guests might get declined if they try to make a reservation after the 1 hour rule kicks in, but I hope they will contact me, or try again later.
This is so annoying! I can only guess that, as suggested above, someone is just using me to test CC numbers they stole, to see if they are good numbers. Maybe they'll get tired and go bother someone else now!.
Morning Arks, more thoughts, seems like there are only two real choices for this actividy, either through Reservation Key (or some perhaps former reservation channel) or direct to your Authorize account, any chance someone was able to guess or hack into your login/password for either account (or your computer)? I assume you've already changed your login/passwords and scanned your own system with an anti-virus and or Malwarebytes or something similar. Really seems the big guys like the bank or Authorize would jump in to help, but I suppose it is easier for them to just leave it as the little guy's problem.
 

Arks

Well-known member
Joined
May 22, 2010
Messages
6,111
Reaction score
128
Yes, I thought the same, that the "big boys" would jump on it and track it down and block it. Instead, all I got was a threat to cancel my account!
Yes I changed passwords, though they were already very secure, but I'd think if they had passwords and full access to the account, they'd do something more than a bunch of authorizations that produce no money and a lot of annoyance.
 

seashanty

Moderator
Staff member
Moderator
Joined
Jun 2, 2008
Messages
5,714
Reaction score
39
Very Strange!
Probably totally unrelated but ...
We have been getting donor emails from people wanting to sign up to make donations from their account to ours. These are people we have NO involvement with at all ... and setting up such a monthly transfer means we have to give them our bank information. Tracing the IP addresses from their emails, they are all originating from Mexico. I believe it is an attempt to access our bank account. If you red through the donor request, they'll say they want to make a total donation of $5, spread out over a year. The treasurer wanted to start answering the emails when it was one or two, I told her absolutely not! Now it's multiplying.
Then the infamous wire transfers and 'I'm sending you a big check but need some of the money paid back to me'.
I have shut down access to that donor page for now.
You have to be vigilant all the time!
 

Arks

Well-known member
Joined
May 22, 2010
Messages
6,111
Reaction score
128
Just heard from someone on the ResKey forum saying he has started suffering the same sort of attack, with over 4000 test transaction emails coming from Authorize.
I haven't received any for a couple of days now. Don't know if it's because of stricter fraud settings I placed in Authorize, or if they just moved on to harass someone else.
 

JimBoone

Well-known member
Joined
Dec 18, 2014
Messages
1,022
Reaction score
45
Just heard from someone on the ResKey forum saying he has started suffering the same sort of attack, with over 4000 test transaction emails coming from Authorize.
I haven't received any for a couple of days now. Don't know if it's because of stricter fraud settings I placed in Authorize, or if they just moved on to harass someone else..
Concern for those of us that use the program, makes you wonder if someone has a way to hack into the system
 

Morticia

Administrator
Staff member
Administrator
Moderator
Joined
May 22, 2008
Messages
17,350
Reaction score
222
Just heard from someone on the ResKey forum saying he has started suffering the same sort of attack, with over 4000 test transaction emails coming from Authorize.
I haven't received any for a couple of days now. Don't know if it's because of stricter fraud settings I placed in Authorize, or if they just moved on to harass someone else..
Arks said:
Just heard from someone on the ResKey forum saying he has started suffering the same sort of attack, with over 4000 test transaction emails coming from Authorize.
I haven't received any for a couple of days now. Don't know if it's because of stricter fraud settings I placed in Authorize, or if they just moved on to harass someone else.
Does anyone else on here use Authorize without the RK connection? It would help to narrow down if the problem is on the Authorize server if people using Think or AvailabilityOnline were getting hit, too.
 

Arks

Well-known member
Joined
May 22, 2010
Messages
6,111
Reaction score
128
Just heard from someone on the ResKey forum saying he has started suffering the same sort of attack, with over 4000 test transaction emails coming from Authorize.
I haven't received any for a couple of days now. Don't know if it's because of stricter fraud settings I placed in Authorize, or if they just moved on to harass someone else..
Arks said:
Just heard from someone on the ResKey forum saying he has started suffering the same sort of attack, with over 4000 test transaction emails coming from Authorize.
I haven't received any for a couple of days now. Don't know if it's because of stricter fraud settings I placed in Authorize, or if they just moved on to harass someone else.
Does anyone else on here use Authorize without the RK connection? It would help to narrow down if the problem is on the Authorize server if people using Think or AvailabilityOnline were getting hit, too.
.
Morticia said:
Does anyone else on here use Authorize without the RK connection? It would help to narrow down if the problem is on the Authorize server if people using Think or AvailabilityOnline were getting hit, too.
So far I've only heard of one other person facing this problem in the whole world, so unlikely that anybody here has faced it, regardless of what systems they use. I haven't seen an attack in a couple of days, but don't know if it's because of the increased fraud checks I implemented through Authorize, or if they just moved on to bother someone else.
 

JimBoone

Well-known member
Joined
Dec 18, 2014
Messages
1,022
Reaction score
45
https://www08.wellsfargomedia.com/assets/pdf/small-business/merchant/card-testing-fraud.pdf
Too late to be useful for that which has past, but came across this link to a paper on "card testing"
 

Morticia

Administrator
Staff member
Administrator
Moderator
Joined
May 22, 2008
Messages
17,350
Reaction score
222
https://www08.wellsfargomedia.com/assets/pdf/small-business/merchant/card-testing-fraud.pdf
Too late to be useful for that which has past, but came across this link to a paper on "card testing".
That's good info!
 
Top