Card testing attack
-
I run the Stripe Payments plugin. Over the past 18 hours I have had 60,000 card testing attempts at making payments, around 300 of which have succeeded. Stripe support advised refunding these immediately, which I am doing.
But each attempt results in either a success email from WordPress, or an Error email from WordPress, so I have had 60,000 emails in the past 18 hours.
In the plugin settings I have reCaptcha enabled, and the box to have error emails sent to me is not checked. But all of these emails are still arriving.
All 60,000 attempts are for the same product, which does not exist, so this is clearly not going through the product form on my web site.
Can you advise urgently please?
-
I found an old test installation of the Stripe plugin, where I had set up one product to sell. It did not have the full range of ‘friction’ settings to stop such abuse: reCaptcha enabled, required fields for credit card CVV and postcode, etc. That was the product that the card testers were using but it took me a while to remember I had this test installation on another web site. Once I deleted the product, the card testing stopped immediately. Hope this is of some help.
- The topic ‘Card testing attack’ is closed to new replies.
