NetSafe warns New Zealand charity websites are being targeted by credit card fraudsters

FOR IMMEDIATE RELEASE: Auckland, 16 January 2015

NetSafe is warning New Zealand charities taking online donations to be on the alert after receiving two reports this week of cyber criminals launching automated attacks that attempt to validate large numbers of stolen credit cards.

In the first incident, almost 50,000 attempts were made to rapidly submit fake donations through a website form with the aim being to test which credit cards could be used for subsequent online fraud or sold on to other internet scammers.

More than 2000 successful donations were made resulting in the charity having to enlist the help of their bank and merchant account provider to refund the fraudulent payments. They also spent time dealing with enquiries from cardholders around the world questioning the transactions.

A second incident yesterday saw another charity website hit with 11,000 payment requests resulting in more than 250 donations to their bank account.

In both cases, the automated attacks had been launched from a Brazilian IP address and NetSafe is encouraging charities and other small businesses that take payments online to take steps to secure their websites and contact their bank or payment provider about ways to prevent online fraud.

Online fraud a global problem

“Credit card fraud is an ongoing issue for any organisation that takes payments over the internet,” said NetSafe’s Digital Project Manager Chris Hails.

“The American security company PhishLabs warned that charity websites were being targeted by cyber criminals to validate stolen cards in November last year (see Note 1) and they believe that these smaller organisations have fewer internet defenses in place than larger retailers and are thus an easy target.”

“Being the target of such an attack can mean hours of staff time cleaning up afterwards and could potentially cost your organisation money or find you blocked from taking future donations online,” said Hails.

The warning comes just a week after New Zealand’s Banking Ombudsman predicted that complaints to her office about scams would increase in 2015 (see Note 2). Auckland-based NetSafe recorded more than 8000 incidents in 2014 including a wide range of cyber security issues ranging from phishing attempts to ransomware.

Protect your business online

NetSafe offers the following advice for charities and website owners:
• Talk to your bank or merchant provider about how their payment systems can be used to protect against online fraud
Enquire about options for monitoring payments and blocking such large scale automated attacks. If you can, consider using third party card verification services from Visa and MasterCard to add a second layer of protection.
• Talk to your website developer, IT staff or a security specialist about ways to protect your site and any payment forms you host
Using SSL to encrypt information submitted is essential so that forms operate at an https:// address. Discuss testing your systems for signs of common vulnerabilities and your options for fixing them.
• Use a CAPTCHA on your web form or require an account be created
Technical solutions like these can potentially slow down automated software ‘bots’ that are designed to validate card numbers in quick succession.
• Limit transaction volumes or website sessions by IP address or pre-screen payments from high risk countries if you are seeing fraudulent attempts to donate
Many New Zealand charities may only wish to accept donations from Kiwis using credit cards issued by NZ banks. Ask if you can filter payments by Bank Identification Number (BIN) to prevent overseas cards being accepted.
• Consider monitoring traffic volumes to your website
Talk with your website host about establishing an alerts services so that you’re aware if you receive a sudden unexpected spike in visitors.
“Monitoring any payments received is an important way to detect fraud on your website. Be on the lookout for a series of small donations for odd values or random amounts. Real people tend to donate whole dollars - $20 rather than $4.73,” said Hails.

If your website has been targeted by credit card fraudsters speak with your bank or merchant provider. You can also contact NetSafe via their freephone telephone number 0508 NETSAFE or report an incident online atwww.theorb.org.nz.

- ENDS -

Note 1: Cybercriminals abuse charities to verify stolen credit card data - http://blog.phishlabs.com/cybercriminals-abuse-charities-to-verify-stolen-credit-card-data

Note 2: Scam-related bank complaints on the up – Banking Ombudsman - https://bankomb.org.nz/news-and-publications/media-releases/item/scam-related-bank-complaints-on-the-up-banking-ombudsman

© Scoop Media