WooCommerce Credit Card Failed Order / Checkout Attack

  • Resolved paperleaf

    (@paperleaf)


    3 years ago

    Our shop had to address an issue w/a Client site over the weekend; figured the attack & the learnings were worth sharing.

    Client was hit with a spamming attack where a bad actor was hitting the site with credit card numbers to check for validity. This comes at a cost to Client in the form of chargebacks and fines from their payment processors, and could potentially lead to them getting blocked from processing credit card payments from legitimate customers.

    We are using the reCaptcha for WooCommerce plugin on the site, which disables the Place Order button until the Captcha is filled out. We initially thought they were manipulating the DOM to bypass that and submitting the orders that way, so we added some additional server-side validation to ensure the Captcha was being populated. However, that did not fix the issue.

    We dug deeper and found what they were doing was taking advantage of the Order Pay page (aka Customer payment page). This is a separate payment page outside of the normal checkout flow that you can send directly to the customer in the event that their initial payment failed.

    So the bad actor was creating an account and sending in a Failed order with one IP, and then spamming this other payment page with an automated script to check if each card validated using different IPs (WordFence managed to block one IP, but the scammer switched to a different IP during their card testing).

    Since we weren’t aware that there were specific settings for this alternate payment page, there was no reCaptcha enabled for it. Luckily, there was a setting in the plugin to enable it. Since then, they haven’t received any spam orders or card testing.

    On the WooCommerce side, the reason this worked is that the URLs for a normal checkout and this other payment page are nearly identical, and use the same key. So once their initial order Failed, they could just grab the URL and change it to point to the Order Pay page. We are guessing that the automated script would just craft a POST using the correct information from their order, and keep hitting the Order Pay with different numbers.

    Normal Checkout:
    https://yoursite.com/checkout/order-received/1234/?key=wc_order_FvNvVRjXin9HD

    Pay Order:
    https://yoursite.com/checkout/order-pay/1234/?pay_for_order=true&key=wc_order_FvNvVRjXin9HD

    WooCommerce Learnings:
    1. For all WooCommerce sites, Developers should be purchasing and enabling the reCaptcha for WooCommerce plugin
    2. In the WooCommerce settings for reCaptcha, ensure the option Enable Recaptcha on Pay For Order is checked, and that Recaptcha validity is set to 0

    Hope this helps!

Viewing 1 replies (of 1 total)
  • Mirko P.

    (@rainfallnixfig)

    Hi @paperleaf,

    Quite unfortunate to hear that you were facing this issue.

    Thanks so much for sharing your suggestions and feedback with the WooCommerce community on this forum.

    If you believe that something could be improved within the core plugin relating to security, please feel free to share your ideas on our Ideas Board which is where WooCommerce developers get insights for future plugin features and improvements.

Viewing 1 replies (of 1 total)
  • The topic ‘WooCommerce Credit Card Failed Order / Checkout Attack’ is closed to new replies.