In its Q1 2020 Digital Trust & Safety Index, antifraud technology provider Sift uncovered a fraud attack, specifically targeting guest checkout options at donation sites, it says serves as an example of how e-commerce fraud is evolving way past the simple use of stolen credit card numbers at the point of transaction.
Fraudsters leveraging the technique, which Sift dubbed Cart Crasher, used guest checkout so they would not have to establish an account—requiring only an email address—and made “donations” to recipient accounts they set up themselves, enabling them to test stolen payment card information.
Specifically, the report said, the scam worked like this:
- Fraudsters set up recipient accounts on donation sites
- Fraudsters create and post fake causes with which to receive donations
- Fraudsters use stolen credit cards and fake usernames/emails in guest checkout by the thousands (via automated scripts) to donate funds to their own fabricated causes
- “Donations” are made in increments of approximately $5, allowing Cart Crasher to test stolen payment accounts to determine if they’re valid for use elsewhere—and paying themselves in the process