SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Guru
    Join Date
    Jan 2007
    Posts
    971
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Donation Form Attack

    A donation form I built got hit with an attack I've never heard of before.

    A bot was submitting one credit card number with a $5 donation every two minutes.
    It was submitting the same generic name with a different cc#. My assumption is the hacker had obtained a large number of credit card numbers without any other information and was apparently using the donation form as a filter to see which cards would run the charge without a correct name or address.

    Has anyone else had a form attacked like this?

    Since the same email address was used, for the time being, I am sending out random responses when that email was sent to trick the hacker into thinking he was getting real responses. A captcha on donation form seems a bit Draconian. The hacker doesn't seem that clever so maybe he can be outsmarted a different way.

    Ideally, it would be cool to send a notice letting credit card companies know the cards had been compromised as they are run. That would make life a little more difficult for the thieves, instantly spoiling their score. Anyone have any idea how to do this?

    E

  2. #2
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One option you could try, if it actually is a bot and not a real person.

    This is by no means fool proof but a basic captcha like this might work in this case.

    1) Add a "hidden" text input with a legitimate sounding name attribute in the form. The bot hopefully works by entering a value in every input box. Being hidden, a real person won't see the hidden input box.

    2) then in your server side processing script, check if there is a value sent in that hidden field. If there is, that means a bot filled out the form. If there isn't then it might be a real person who filed out the form. The hidden field being empty on the server could also mean the hacker is sending data directly to your server side script without using the form at all.

  3. #3
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    73 Post(s)
    Tagged
    0 Thread(s)
    Or just preventing submissions from the same IP more than once an hour. I assume somewhere you're storing the form input.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  4. #4
    SitePoint Guru
    Join Date
    Jan 2007
    Posts
    971
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    webdev1958, yes, I thought of a honeypot too, but only fields required for validation are filled out.

  5. #5
    SitePoint Guru aamonkey's Avatar
    Join Date
    Sep 2004
    Location
    kansas
    Posts
    953
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by eruna View Post
    Ideally, it would be cool to send a notice letting credit card companies know the cards had been compromised as they are run. That would make life a little more difficult for the thieves, instantly spoiling their score. Anyone have any idea how to do this?
    I wouldn't mess with it - emailing or storing credit card numbers could get you into a lot of trouble yourself, regardless of if you're trying to help. I would just turn in the IP address with a description of what happened to authorities.
    aaron-fisher.com - PHP articles and more

  6. #6
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by eruna View Post
    webdev1958, yes, I thought of a honeypot too, but only fields required for validation are filled out.
    Maybe I'm missing something, but why can't you send the hidden input field to the validation code and the validation code can then check if there is a value in the hidden field or not and then act accordingly.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •