Donation Form Attack

A donation form I built got hit with an attack I’ve never heard of before.

A bot was submitting one credit card number with a $5 donation every two minutes.
It was submitting the same generic name with a different cc#. My assumption is the hacker had obtained a large number of credit card numbers without any other information and was apparently using the donation form as a filter to see which cards would run the charge without a correct name or address.

Has anyone else had a form attacked like this?

Since the same email address was used, for the time being, I am sending out random responses when that email was sent to trick the hacker into thinking he was getting real responses. A captcha on donation form seems a bit Draconian. The hacker doesn’t seem that clever so maybe he can be outsmarted a different way.

Ideally, it would be cool to send a notice letting credit card companies know the cards had been compromised as they are run. That would make life a little more difficult for the thieves, instantly spoiling their score. Anyone have any idea how to do this?


One option you could try, if it actually is a bot and not a real person.

This is by no means fool proof but a basic captcha like this might work in this case.

  1. Add a “hidden” text input with a legitimate sounding name attribute in the form. The bot hopefully works by entering a value in every input box. Being hidden, a real person won’t see the hidden input box.

  2. then in your server side processing script, check if there is a value sent in that hidden field. If there is, that means a bot filled out the form. If there isn’t then it might be a real person who filed out the form. The hidden field being empty on the server could also mean the hacker is sending data directly to your server side script without using the form at all.

Or just preventing submissions from the same IP more than once an hour. I assume somewhere you’re storing the form input.

webdev1958, yes, I thought of a honeypot too, but only fields required for validation are filled out.

I wouldn’t mess with it - emailing or storing credit card numbers could get you into a lot of trouble yourself, regardless of if you’re trying to help. I would just turn in the IP address with a description of what happened to authorities.

Maybe I’m missing something, but why can’t you send the hidden input field to the validation code and the validation code can then check if there is a value in the hidden field or not and then act accordingly.