Carding is an automated form of payment fraud in which fraudsters test a bulk list of credit or debit card data against a merchant’s payment processing system to verify breached or stolen card details. Card details might be stolen from different payment channels, taken from another application, or purchased from dark web marketplaces.
Both carding and card cracking are acknowledged by the Open Worldwide Application Security Project® (OWASP) as methods of obtaining card details.
In this widely prevalent form of financial fraud, attackers use sophisticated bots to carry out credential stuffing and credential cracking attacks to identify valid accounts which can be targeted for fraud, cashed out or used to make unauthorized purchases. Valid bank and credit card details can also be illegally obtained through either malware installed on targeted devices or phishing and social engineering tactics that trick victims into unwittingly revealing their card and/or other personal information.
Between 2023 and 2028, global merchant losses to online payment fraud, including carding, is expected to exceed $362 billion, according to Juniper Research.
In this article:
The process of executing a carding attack typically involves several steps:
- Obtain Credit/Debit Card Information: Carders obtain credit card information by stealing physical credit cards, purchasing credit card data on the dark web, or using techniques such as phishing, skimming, or malware to steal credit card information. Account Takeover (ATO) of user accounts on e-commerce or financial websites carried out by bots is yet another way for bad actors to steal payment card data.
- Drop Shipping: A drop is a location where the fraudster can have fraudulently purchased items shipped without revealing their own identity or location.
- Keep or Resell the Goods: Once fraudsters receive the fraudulently purchased items, they will either keep them for personal use or resell them on the black market for cash.
- Validate Card Data: After carders obtain payment card data, they often use bots to validate the cards and check the balances or credit limits on the card with credential stuffing and credential cracking. Credential stuffing is a technique that uses bots to rapidly enter lists of breached or stolen card data to try to validate them. Credential cracking is the process of entering random characters over multiple attempts in the hope of eventually guessing the right combination.
- Make the Purchase: The cybercriminal can use the stolen credit card information to make purchases online or in-store. They may use a technique known as "card present" fraud to create a counterfeit card and make purchases in-person. "Card not present" fraud indicates when the purchase was made online.
Infographic: The Stages of Carding
Here are a few ways carding attacks can negatively impact businesses and their customers:
- Direct financial losses for merchants in the form of chargebacks. When a cardholder disputes an unauthorized purchase, the merchant typically absorbs the cost of the transaction, plus associated chargeback fees. For businesses operating on thin margins, repeated fraud events can quickly erode profitability.
- Inflating operational expenses: Security teams must investigate incidents, while customer support teams handle disputes and complaints.
- Higher transaction fees: In high-volume attacks, payment processors may flag the merchant as high risk, leading to higher transaction fees, stricter processing limits, or even termination of their merchant account.
- Distortion of sales and marketing data: Fraudulent purchases can inflate sales numbers, leading to inaccurate demand forecasts and inventory decisions. This can cause overstocking of certain products or misallocation of marketing budgets, directly impacting business efficiency.
- Reputation damage: This is often longer lasting than financial loss. Customers who experience fraud linked to a business may lose trust and take their spending elsewhere. Negative publicity or low trust ratings can deter new customers, limiting growth opportunities in competitive markets.
- Phishing: Cybercriminals send a fake email or text message to the victim, posing as a legitimate company. They request that the victim provides their credit/debit card information, which they can use to make fraudulent purchases.
- Social Engineering: The fraudster poses as a legitimate representative of a company or financial institution and convinces the victim to provide their credit card information over the phone or through email.
- Identity Theft: A thief steals a victim's personal information, such as their name, address and social security number, and uses that information to open new credit card accounts or make purchases using the victim's existing credit card.
- Malware: Nefarious actors install malicious software on a computer or mobile device to capture the victim's payment card information when they make online purchases.
- Card Skimming: In this type of fraud, criminals use a device known as a skimmer to steal credit card information. The skimmer is placed on a legitimate card reader, such as an ATM or gas pump, and records the card data when the victim swipes or inserts their card.
Carding attacks are becoming more frequent and more sophisticated. These attacks now often use automation, bot networks, malicious packages, fake storefronts, and phishing/social engineering to validate card data and make fraudulent purchases. The damage isn’t just financial: they erode trust, impose chargebacks, and can even lead to regulatory or reputational consequences for companies.
Below are a few recent examples illustrating different carding techniques and their impact:
May 2025: “Operation Albatros-Samba” carding network in Spain
Spanish Guardia Civil and Policía Nacional dismantled a carding gang known as ALBATROS-SAMBA that acquired stolen card details through phishing, smishing, and vishing, created virtual cards, and conducted fraudulent online purchases for resale or personal use. Losses exceeded €30,000 affecting over 170 banking customers. Learn more
April 2025: Automated carding toolkit “disgrasya” published on PyPI
A malicious Python package named disgrasya, hosted on the Python Package Index (PyPI), was downloaded over 34,000 times. It contained a fully automated carding script that mimicked real WooCommerce checkout flows to validate stolen credit card data and exfiltrate it to attacker-controlled servers. Learn more
January 2025: Casio UK Online Store Web Skimming Attack
Attackers injected malicious web-skimming scripts into Casio UK’s e-commerce site (casio.co.uk). These scripts intercepted payment interactions, displayed fake form elements to harvest full credit card details and personal information, and exfiltrated data to external servers before redirecting users to the genuine checkout. Learn more
December 2024: European Space Agency Web Store Card Skimming Breach
The official European Space Agency (ESA) merchandise web shop was compromised by malicious JavaScript embedded in the checkout flow. The injected code generated a fake Stripe payment page that harvested customer payment card information during transactions. The malicious code was later found and removed as part of response measures. Learn more
1. Use Anti-Bot / Bot Mitigation Tools
Carding attacks depend heavily on automation to test vast numbers of stolen card credentials in a short period. Fraudsters use scripts, headless browsers, and large-scale botnets to mimic real user behavior and bypass basic security measures. Standard rate-limiting or IP blocking is often ineffective against these tactics because attackers rotate IP addresses and user agents frequently.
Effective bot mitigation tools use multiple layers of detection. These include JavaScript fingerprinting, mouse movement analysis, and real-time behavior profiling to identify non-human activity. Advanced solutions also leverage machine learning to differentiate between genuine customers and automated bots with high accuracy. For example, a bot might skip unnecessary page resources or load the checkout page directly; these are patterns that detection models can flag. By blocking or redirecting suspected bot traffic before it reaches the payment API, organizations can prevent bulk card validation attempts at the source.
2. Velocity and Rate Limits
Velocity checks and rate limiting restrict how often certain actions can be performed within a given time frame. In the context of carding, this means setting limits on how many payment attempts are allowed per IP address, user session, device fingerprint, or even on a per-card basis.
For instance, a rule might restrict a single IP address to no more than five failed payment attempts within a minute. If this threshold is exceeded, subsequent attempts can be blocked or challenged. These controls prevent bots from quickly cycling through large lists of card data. More sophisticated implementations apply adaptive rate limiting, which adjusts thresholds based on observed behavior. For example, the system might lower the threshold during known attack spikes or when anomalous traffic patterns emerge. This limits attackers’ ability to conduct rapid tests without affecting normal customer activity.
3. Address Verification (AVS) and CVV Checking
AVS and CVV validation are fundamental components of payment fraud prevention. While many stolen card numbers are sold or distributed online, they often lack complete billing details. AVS checks validate whether the billing address entered by the buyer matches the address on file with the issuing bank. Similarly, the CVV (a three- or four-digit code printed on the card) is not stored by most merchants due to PCI DSS rules, making it harder for attackers to obtain.
Requiring these elements significantly reduces the chance of a fraudulent transaction succeeding. It’s important to configure AVS response rules appropriately. For example, rejecting transactions with full AVS mismatches, or flagging partial matches for review. Combining AVS and CVV checks with other controls (e.g., 3D Secure) provides layered defense, making carding less economically viable for attackers.
4. CAPTCHA/Human Challenges
While not foolproof, CAPTCHAs add friction that can stop unsophisticated bots. CAPTCHAs ask users to complete simple tasks that are easy for humans but difficult for scripts, such as identifying objects in images or solving puzzles. Implementing CAPTCHA at strategic points—like before the checkout, after multiple failed payment attempts, or on high-risk endpoints—forces attackers to solve these challenges at scale, reducing the efficiency of their automation.
Modern implementations like invisible CAPTCHA or reCAPTCHA v3 can assess user interaction without requiring action unless suspicious behavior is detected. More advanced bot operators use CAPTCHA-solving services, but frequent changes to challenge types or using dynamic challenge generation can make these services unreliable. Human challenges should always be part of a broader anti-fraud strategy rather than the only control in place.
5. Device Fingerprinting and IP/Geolocation Checks
Device fingerprinting gathers attributes such as browser version, operating system, screen resolution, time zone, and installed fonts to create a unique identifier for a user's device. This allows merchants to track repeated attempts across sessions, even if attackers rotate IP addresses or clear cookies. When combined with IP reputation databases and geolocation analysis, this method becomes even more powerful.
For example, if a card issued in the U.S. is suddenly used for multiple transactions from Southeast Asia, the system can flag or block the transaction. Similarly, device fingerprints that appear across multiple accounts within a short timeframe suggest a botnet or fraud operation. Businesses can use this intelligence to apply further verification, delay processing, or reject the transaction outright, depending on the associated risk score.
6. Transaction and Behavior Monitoring
Monitoring user behavior and transaction patterns in real time enables dynamic detection of carding activities. Unlike static rule-based systems, behavior analytics establish baselines for legitimate customer actions, such as time spent on pages, navigation paths, average order values, and preferred shipping addresses. Transactions that deviate from these norms, like sudden bursts of low-value purchases or inconsistent order details, can be flagged for manual review or blocked automatically.
Many fraud prevention platforms now integrate machine learning models trained on historical fraud patterns. These systems can assess risk at the point of transaction and continuously learn from new fraud attempts. Behavioral signals such as repeated use of the same card across many accounts or unusual purchase timing (e.g., late at night) can be strong indicators of carding activity. Real-time alerts allow businesses to take swift action before fraudulent payments are completed or shipped.
Carding and payment fraud are constantly evolving to evade basic countermeasures, and fraudulent tactics that trick cardholders through phishing and social engineering techniques can still be successfully executed before the cardholder or payment processor can detect the fraud. More stringent measures against automated carding attacks are required to prevent them before they can carry out fraud or other types of bot attacks.
Responding to these potential threats, many organizations that regularly face bot attacks have implemented specialized, dedicated bot mitigation solutions such as Radware Bot Manager. Bot Manager goes far beyond basic prevention measures and combines multiple approaches for bot detection. Techniques include deep user behavior and intent analysis, semi-supervised machine learning algorithms, collective bot intelligence, and fingerprinting to effectively eliminate carding attacks before they happen.