Card testing attacks

Resolved stepfaul
(@stepfaul)

4 months, 2 weeks ago

Over the past two weeks we have started to see many failed orders which have been declined by PayPal and marked as failed by WooCommerce for low order amounts. I ended up disabling PayPal payments for a week which obviously solved the issue. A week later I re-enabled PayPal payments again and to my surprise the card testing attacks started almost straight away again.

PayPal is now disabled again as I don’t want to face any issues with PayPal themselves or any chargebacks for orders that may be successful. Is there any way to stop this as we have been accepting PayPal payments for the past 13 years and have only started to see this behaviour in the last 2 weeks.

Thanks

The page I need help with: [log in to see the link]

Viewing 7 replies - 1 through 7 (of 7 total)

Thread Starter stepfaul
(@stepfaul)

4 months, 2 weeks ago

I appreciate there have already been a number of posts on this and I have read your responses – I just wanted to raise one for our site for awareness. It looks like you are working on an update to the plug-in.
Plugin Support Syde Jamie
(@jamieong)

4 months, 2 weeks ago
Hi @stepfaul ,

Thank you for reaching out to us, we are here to help.

We have been monitoring closely and sharing the helper package to affected merchants: Download helper package.

This package provides the following protections:
- Detects and removes fraudulent orders to keep your WooCommerce backend clean and reduce noise from failed payment attempts.
- Blocks the specific endpoint that bots have been using to initiate fake card payments via direct API access.
- Marks bots by IP using a 1-hour transient to prevent repeated attempts. If the IP cannot be retrieved due to server configuration, it falls back to PHP sessions.
It is important to understand that carding attacks is not completely preventable – there will always be new ways of running these attacks. As plugin developers, we work closely with PayPal to find the best ways to mitigate these attacks.

PayPal is also one of the biggest payment gateways globally, making it a target as well since many merchants are using it. We understand that this is not the merchant’s problem, but it is something that we have to solve every now and then when these attackers come up with more sophisticated ways to launch an attack.

Let us know if you have further questions, we would be glad to help.

Best Regards,
Jamie
- This reply was modified 4 months, 2 weeks ago by Yui. Reason: link removed
Plugin Support Syde Jamie
(@jamieong)

4 months, 2 weeks ago

Hi @stepfaul ,

We would like to ask you reach out to us directly. Here is how to do it: Request Support
Please include the URL of this thread in your ticket so we can keep everything connected.

Best Regards,
Jamie
Thread Starter stepfaul
(@stepfaul)

4 months, 2 weeks ago
Thanks for looking into this @jamieong , I have reached out to you directly via a support ticket as requested. I have also installed the helper package and re-enabled PayPal (WooCommerce Official) again.

Just once last thing… Can I disable the Payment Provider PayPal & PayPal Later (Legacy) as this is currently active along with the official WooCommerce one?
- This reply was modified 4 months, 2 weeks ago by stepfaul.
- This reply was modified 4 months, 2 weeks ago by stepfaul.
Thread Starter stepfaul
(@stepfaul)

4 months, 2 weeks ago

After enabling PayPal again and installing the helper plug-in I can see that the attacks have re-started again (this is obviously expected). I can also see the helper plug-in moving orders to the Bin but I have since disabled PayPal payments again as although the plug-in is performing some tasks I don’t like the fact that orders are still being placed.

Plugin Support Krystian Syde
(@inpsydekrystian)

4 months, 2 weeks ago

Hello @stepfaul

That’s exactly why we suggested reaching out to us directly. The helper plugin is just a minor component of what we can provide. There are additional mitigation layers we can share, including filters to block unauthorized card attempts, rules to detect velocity-based attacks, and endpoint recaptcha.

Kind Regards,
Krystian

Plugin Support Krystian Syde
(@inpsydekrystian)

3 months, 1 week ago

Hello @stepfaul

The latest version of the plugin introduces a native reCAPTCHA integration specifically designed to block automated abuse and card-testing activity at the PayPal payment endpoints. If you don’t have it yet, download it from here: https://github.com/woocommerce/woocommerce-paypal-payments/releases/tag/3.3.0

Alternatively, the update can be installed directly from your WordPress dashboard.

This version combines invisible reCAPTCHA v3/v2 captcha for potential bots or automated requests to protect to the PayPal payment endpoints. The protection is active on both the classic and block-based checkout and helps prevent automated card testing and other forms of malicious activity that can result in random declines or failed transactions. Unlike general CAPTCHA plugins, this implementation specifically protects the PayPal endpoints, so we recommend using it instead of third-party CAPTCHA solutions.

After installing the update, go to: WooCommerce → Settings → Integration → WooCommerce PayPal Payments CAPTCHA
Or open directly: /wp-admin/admin.php?page=wc-settings&tab=integration&section=wppc

From there, generate your Site Key and Secret Key using the Google reCAPTCHA admin console and paste them into the corresponding fields. Once saved, the CAPTCHA will silently protect the checkout process without disrupting legitimate users.

Documentation is also available here: https://woocommerce.com/document/woocommerce-paypal-payments/fraud-and-disputes/

If you need any help during setup feel free to reach out.

Kind Regards,
Krystian

Viewing 7 replies - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.