Skip to main content

fire--braintree-spam

Timeline:​

Jan 22, 2020 - 09:54 Ben gets an email from Braintree

Your POWr Inc account was recently flagged as a result of a simultaneous verifications and transaction attack that is taking place against your website . It appears that there is an attempt to process a large number of credit card transactions using your website, which is resulting in an abnormally high rate of declines. Here's what we need to do:

  1. Acknowledge receipt of this alert (done)
  2. Install reCAPTCHA on your checkout page. CAPTCHA is a program designed to tell the difference between human and machine input. Having a CAPTCHA on your site can help prevent carding attacks, keeping your site safe and secure. This needs to be implemented as soon as possible.
  3. Consider rotating your API Keys following these instructions for additional security: https://articles.braintreepayments.com/risk-and-security/control-panel-security/rotating-api-keys
  4. Proactively refund suspicious settled transactions to avoid an increase in chargebacks down the line. Trends we are noticing are as follows:
  • Many of the fraudulent transactions are at the $4.99 price point
  • Many have billing and BIN mismatches
  • Some of the prominent BINs we are seeing are: 457453 and 448233

Jan 22, 2020 - 09:00 Ben responds to Braintree so they don't stop our account and calls them to understand what we really need to do: 312.257.2306

Jan 22, 2020 - 10:38 Aigul notices that all transactions use the same phone number - 5704585621

Braintree tells us that we can send them a list of transactions that were identified as fraudulent and they will deal with refunding users.

Ivan and Lauren notice that the spammer also created 177k+ user accounts on POWr.

The scammer's workflow:

  1. Create account on powr.io (using new user access invite? or some other way)
  2. The user goes to /pricing and upgrades to Social Feed Monthly Starter
  3. The user does not create any apps or do anything else with that account
  4. Spammer verifies valid cards based on whether a subscription was created or not

ENG Action Items:​

  • Puru makes an update that rejects charges using the above phone number to solve immediate issue: https://gitlab.com/powr/powr/merge_requests/4172/
  • Puru and Joe to add Invisible Captcha to our checkout page to prevent this from happening again in the future

Data Action Items:​

  • Data team to create a temporary table to store the details from the spam attack so we have it if needed for chargebacks, support tickets, etc.
    • Will copy users, pro_subscriptions, transactions, and credit_cards
  • Data team to migrate spammer data over to that new table so that we are not displayed flawed data on our dashboards and we are not trying to charge the stolen cards again on renewal

Jan 24, 2020 - 11:35 Ivan copied and deleted the spammer's data. The data can be found in the following tables:

  • credit_card_spammer_users
  • credit_card_spammer_credit_cards
  • credit_card_spammer_pro_subscriptions
  • credit_card_spammer_transactions