Two NZ charities have had their online donation systems used by cyber criminals to validate credit card details.

In the first incident, almost 50,000 attempts were made to rapidly submit fake donations through a website form. The aim was to test which credit cards could be used for subsequent online fraud or sold on to other internet scammers.

More than 2000 successful donations were made. The charity, which Netsafe couldn’t name because it made a confidential report, had to enlist the help of their bank and merchant account provider to refund the fraudulent payments. They also had enquiries from cardholders around the world questioning the transactions.

Another incident saw a charity website hit with 11,000 payment requests, resulting in more than 250 donations to their bank account.

Both attacks were launched from a Brazilian IP address.

NetSafe’s digital project manager Chris Hails said attacks like these could mean hours of staff time needed to be spent cleaning up the mess.

“The American security company PhishLabs warned that charity websites were being targeted by cyber criminals to validate stolen cards in November last year and they believe that these smaller organisations have fewer internet defenses in place than larger retailers and are thus an easy target,” Mr Hails said.

“Monitoring any payments received is an important way to detect fraud on your website. Be on the lookout for a series of small donations for odd values or random amounts. Real people tend to donate whole dollars - $20 rather than $4.73.”

NetSafe offers the following advice for charities and website owners:

  • Talk to your bank or merchant provider about how their payment systems can be used to protect against online fraud. Enquire about options for monitoring payments and blocking such large-scale automated attacks. If you can, consider using third party card verification services from Visa and MasterCard to add a second layer of protection.

  • Talk to your website developer, IT staff or a security specialist about ways to protect your site and any payment forms you host. Using SSL to encrypt information submitted is essential so that forms operate at an https:// address. Discuss testing your systems for signs of common vulnerabilities and your options for fixing them.

  • Use a CAPTCHA on your web form or require an account be created. Technical solutions like these can potentially slow down automated software "bots" that are designed to validate card numbers in quick succession.

  • Limit transaction volumes or website sessions by IP address or pre-screen payments from high risk countries if you are seeing fraudulent attempts to donate. Many New Zealand charities may only wish to accept donations from Kiwis using credit cards issued by NZ banks. Ask if you can filter payments by Bank Identification Number (BIN) to prevent overseas cards being accepted.

  • Consider monitoring traffic volumes to your website. Talk with your website host about establishing an alerts services so that you’re aware if you receive a sudden unexpected spike in visitors.

If your website has been targeted by credit card fraudsters, speak with your bank or merchant provider. You can also contact NetSafe via their freephone telephone number 0508 NETSAFE or report an incident online at theorb.org.nz.