I founded an e-commerce marketplace startup. We use PayPal's Multiparty APIs (PayPal Commerce Platform) for checkout. For the 10 days, someone has been bombarding us with purchases that they later dispute. There's consistent pattern to it:
* They use an email address that has no footprint online, always from the same two domains * They use an unverified PayPal account to pay * They pay a low amount, not always the same, in a narrow range for a digital item * All of the charges were disputed within a few hours
They're not doing this through our API. The purchase process requires a browser because of the way our payment form is configured. There's an amount of variation to each purchase that tells us they're automating a browser. Logs indicate that they're changing IP each time. The events come in bursts and seem to be spaced to avoid automated detection.
We added the typical mitigations to our network stack and code. A few are still slipping through. Logs indicate a high amount of bot traffic.
PayPal does not seem equipped to deal with this. Their support is always extremely slow, relies on canned responses, and to date has a very limited understanding of how their own Multiparty APIs work. Their phone support people will not talk with me, they see no indication that my PayPal account is affiliated with these purchases in any way. They want each of our sellers to contact them independently, which we know will result in disparate cases that don't tell the complete story or offer any assistance.
Has anyone encountered anything like this before? We're struggling to find the motive or intended outcome by the attacker(s). We're a small company with a niche audience, we've never had a conflict with anyone that got serious enough that we'd expect them to come after us like this.
Any thoughts and recommendations would be greatly appreciated. We feel like we are on our own here and are unsure of how to handle it.
We're struggling to find the motive or intended outcome by the attacker(s).
The highest likelihood for me is that they're doing card/credential testing. They have either stolen or purchased a large number of stolen credentials. Those credentials are worth more individually if they are known to function. They can use any business on the Internet which sells anything and would tell someone "Sorry, can't sell you that because I couldn't charge your account/card/etc. Do you have another one?" to quickly winnow their set of credentials into a pile of ones which haven't been canceled yet and another pile. Another variation of this attack is their list is "literally just enumerate all the cards possible in a range and try to sift down to the cards that actually exist."
After sifting through to find the more valuable cards, they sell this onto another attacker at higher price of the mixed-working-and-not-working cards, or they pass it to their colleague who will attempt to hit the cards/creds for actual money.
Digital items are useful because people selling them have high margins and have lower defenses against fraud as a result. Cheap things, especially cheap things where they can pick their price, are useful because it is less likely to trigger the attention of the card holder or their bank. (This is one reason charities get abused very frequently, because they will often happily accept a $1 or lower donation, even one which is worth less than their lowest possible payment processing cost.) The bad guys don't want to be noticed because the real theft is in the future, by them or (more likely) by someone they sell this newly-more-valuable card information onto.
This hit the company I used to run back in the day, also on Paypal, and was quite frustrating. I solved it by adding a few heuristics to catch and giving a user matching those heuristics the product for free, with the usual message they got in case of a successful sale. This quickly spoils your website for the purpose they're trying to use it for, and the professional engineering team employed to abuse you experiences thirty seconds of confusion and regret before moving to the next site on their list. Back in the day, the bad guys were extremely bad at causing their browser instance to even try to look like a normal user in terms of e.g. pattern of data access prior to attempting to buy a thing.
Hope some of that is useful. Best of luck and skill. You can eventually pierce through to Paypal's attention here and they may have options available contingent on you being under card/credential testing attack, or they might not. I was not successful in doing so back in the day prior to solving the problem for myself.
Would also recommend building monitoring so you know this is happening in the future before the disputes roll in. Note that those disputes might be from them or from the legitimate users depending on exactly what credentials they have stolen, and in the case they are from legitimate users, you may not have caught all of the fraudulent charges yet. (Mentioning because you said "all of the charges" were disputed.) If I were you I'd try to cast a wider net and pre-emptively refund or review things in the wider net, both because the right thing to do and also because you may be able to head off more disputes later as e.g. people get their monthly statements.
It's also a bug in the paypal API that they're abusing, where the SDK doesn't differ between example.com and www.example.com. If webshops like yours get exploited and used for money laundering, they will mix transactions from those two subdomains, while leaving the www.example.com domain as it is. The support people at paypal are dumb enough to not take care about each case, and usually they mix transactions later also via other social media services that have microtransactions (e.g. tiktok or snapchat streams where you can gift away items).
The way paypal support's workflow works is that they have to nanually identify each and every transaction separately, meaning a human will be busy for weeks on end. Not kidding you. That's how the scammers keep winning with schemes like this. Usually there's also no way to escalate this, not even for business customers, at paypal, due to how their support offices are structured organizationally.
As a mitigation I'd recommend to block ASNs that are known hosters that do this, and double check your webshop version for known vulnerabilities and fixes.
If you don't use docker already, start to virtualize your webshop software now. I can't stress how important this is. Also double check any users and passwords you are using for the services, and the rest of the filesystem for indicators on the VPS. Disable SSH passwords and use only SSH key authentication on the VPS in case this hasn't been done already.
I'm writing this because usually this kind of scheme starts to happen after the server got pwned already, and after e.g. the ssh password bruteforce scanner was successful or after the web exploit / persistence exploit was successful.
If you need a starting point to block those botnet affiliated networks, I started both a firewall and scam database project that does exactly this:
https://www.paypal.com/us/cshelp/article/what-are-payment-re...
Be willing to temporarily suspend your services in order to prevent the malicious behavior. Do the manual work to allow genuine customers to keep using your service, e.g: require manual account approval. You need to treat every one of these chargeback transactions as a risk to your businesses ability to operate, each that you allow to happen increases the risk of permanent damage to your business.
Reach out to your account manager at PayPal, this is not something that should be going via frontline support. You need to be talking to a person who knows and is responsible for your account. If you don’t have one, get one. If you can’t get one, look for anti payment fraud businesses that work with PayPal, they may be able to get a direct line to PayPal on your behalf.
For the future, if you’re dependent upon a service provider you should always have someone you can reach out to directly. If a provider isn’t willing to offer that, find a different provider. Financial services especially are very risk averse and will jettison your account if they get even a whiff of something untoward, whether you tried to prevent it or not. The cost of recovering from that will dwarf the cost of any drastic mitigation you take now. Losing your PayPal account is worse than turning off purchases for a few days.
This used to happen to us, eventually after haggling with PayPay support for over a year on who should bear the cost, we just shut down PayPal payments. Don’t have anything better to offer, sorry.
A few things that helped us: – Browser fingerprinting (FingerprintJS or even basic user agent + behavior tracking) – Logging full headers + TLS fingerprints — IPs rotate, but some other patterns leak through – Introduce small friction in the payment flow (e.g. lightweight CAPTCHA or JS challenge) – Look at timing patterns — automation tends to work in strict intervals
PayPal support is notoriously slow for anything that’s not cookie-cutter. Try emailing merchanttechsupport@paypal.com — they’ve been more useful in escalated cases.
This kind of thing is more common than you’d think, especially for platforms selling digital goods.
I added fingerprinting and rate-limiting and the problem seems to have gone away. They’re trying to test a large number of accounts / credit card numbers so the best strategy is to slow them down to the point where it’s no longer worth it for them at scale.
- We have a no-questions-asked unlimited refund policy.
- I don't tolerate unverified PayPal buyer purchases. However, if someone tries to buy with one, I activate the subscription, and then contact the buyer via the e-mail/phone number they signed up with, confirm they're a real person, and then send them a PayPal invoice.
- Only subscriptions can be purchased.
- We've configured the flow when using PayPal to not tell the user if a transaction is declined to the maximum extent possible. I.e., the subscription still gets activated and then we call the user to arrange other payment options.
Besides this: You can not build a long term business that relies on PayPal [or Amazon.]
I would also try to attack the domains. Some strongly worded emails from a lawyer, report fraud at ICANN for the two domains.
It sounded from what you wrote that it will not affect your relationship with PayPal, because they are asking your sellers to contact them individually, and it's distributed across all of your sellers, so it won't affect their relationships either? Did I read that wrong?
Also, if you implement your own methods, do shadow-banning of bots that you identified. These attacks will stop if the time and effort the malicious actor has to invest outweigh the benefits, so the more time and effort you let them waste, the better. A good example are unsolvable and ridiculously captchas. That is obviously a double-edged sword - you need a good way of whitelisting known good actors, so the effect of false-positives on your customers is minimized.
We also started temporarily holding PayPal funds until we could manually verify transactions, preventing a lot of small test chargebacks.
Finally, contacting PayPal's Merchant Services team really helped us reduce fraud significantly.
Also, have your attorney send a polite letter to Paypal's legal department.
I'd place good money on this being a competitor trying to sink your merchant account by racking up a lot of fraudulent transactions.
Happy to give guidance to a fellow startup - I know you're unlikely in a position to be able to pay for a solution.
Digital goods, donations, ticketing, any sort of marketplace -- it doesn't matter your size, just having a merchant account they can transact against is enough motive for them.
You’re essentially playing a game of cat and mouse. There’s 12 new domains added today for one provider for example [0].
Use a 3rd party api to block these (disclaimer, this is what I do) and keep layering your security. Note that I’ve seen an increase in gmail temporary email providers, so while many here will disagree, blocking plus emails and . emails is absolutely a valid tactic during this attack period.
If you are on a premium CDN, they are probably equipped and can provide security consulting. If not, you may want to switch vendor or buy a separated bot detection solution.
did you look up the AS number of the IP addresses they're using?
https://www.cloudflare.com/application-services/products/tur...
(no affiliation)
You'll probably need to block entire ASNs. I assume most of your legitimate customers aren't using VPNs or eg DigitalOcean droplets to access your site.
https://webagencyhero.com/cloudflare-waf-rules-v3/
In addition, you should start looking for alternatives to PayPal in case they decide to drop you.
Open Banking is the long term solution here. There are countries with relatively advanced legislation on that manner, so depending where you operate you might have full flow in the background through banks API (the only thing you need to capture is end user email for account/ID verification).
Known issue apparently: https://github.com/fingerprintjs/fingerprintjs/issues/1088
It detects bots, fake emails and proxies -- analyzing the network in realtime, no blocklists or IP reputation.
It's free during beta.
I’d love to hear what you end up doing.
Large EC here.
Paypal is not a company that exists for its customers.
I can't respond to every comment right now because we're actively dealing with it. There were more attempts this morning. Some quick replies to some of the frequent comments:
* We're on a paid Cloudflare plan. We upgraded to the ~$2500 after this started and added a lot of filtering rules and interactive challenges to some key pages. Because purchases are either browser automation or humans, this has only been somewhat effective at filtering out bad traffic.
* IP checks show a mix of proxy/VPN and not. Blocking at the IP or ASN level won't get us very far.
* PayPal's Marketplace "platform" (it's a few APIs) processes orders through each of our sellers' accounts. As a result, we can't prevent purchases from unverified accounts because that has to be done by each seller.
* Moving off of PayPal isn't possible. For a marketplace platform in the US, the only other real option is Stripe Connect, but our domain has a lot of micro-transactions and Stripe's $2 per month per active user is a nonstarter. We experimented with Stripe and users (esp casual sellers) found their onboarding so intimidating that we lost signups. We would love other options, we have great concerns about PayPal as a longterm partner.
* Blocking the domains the purchases come from is not an option. They are recognizable names used by more legitimate users than illegitimate. We are adding extra scrutiny to these checkouts but we think it's possible they'll change tactics if they know we're onto that.
* Thank you for the fingerprint suggestions. We are going to try Fingerprint Pro.
* We've been gradually increasing friction via automated challenges and blocklists. We will increase this with more invasive Captchas, especially when aspects of the sale match criteria.
* We built an "Under Attack" mode that we can enable to completely disable key areas. We are prepared to temporarily shut down all sales if need be.
* We blocked prepaid credit cards from signing up for our subscriptions. This is a separate vector and we've had a few people try this over the past year. There was at least one person who did both the PayPal fraud and a signup scam + AI content. This should cut that off.
Again, thank you to everyone for the advice. We're monitoring this post closely.
Wait until they ban your account and there again is nobody to talk to.
Your company should pivot into competing with PayPal. You've identified profound deficiencies in how they operate, know what type of services customers value, and have motive: someone is attacking your business and PayPal can't even comprehend that there is a problem, let alone protect you from it.
More than that, there are vast swaths of people that have horrendous horror stories about dealing with PayPal, having their accounts shutdown without explanation, being abused in the same or similar ways, and a wide variety of other concerns. There is a market for it. You just need to consider what made you go with PayPal Multiparty over whatever competition exists.
>We're struggling to find the motive or intended outcome by the attacker(s).
Unless you plan to sue, determining motive probably doesn't matter a whole lot. We could guess at different reasons, and even if we figured out a good one, it wouldn't change what is happening, just why it's happening. That's not much of a meaningful change.
Then they demanded a return from PayPal. PayPal took the 50 then charged me a 20 dollar fee all without any interaction from me.
I tried to protest it through their appeals channel, but they decided I was in the wrong.
Needless to say I no longer have a PayPal account, life's too short for this Kafkaesque bullshit