Excessive payment failures from IP

Tactic:

TA0040-impact

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect excessive payment failures from an IP.

This may be caused by a malicious actor trying to use stolen payment cards to buy products from you. Those payments will lead to expensive chargebacks and unpaid but shipped products.

Required business logic events

Datadog auto-instruments many event types. Review your instrumented business logic events. This detection requires the following instrumented event:

  • payment.failure

Strategy

Count the number of payment failures generated coming from a single IP.

Require the payment failure to be flagged using a user event with a status metadata field set to success or failed.

A Medium signal is then generated if more than 3 signups from a single IP over 5 minutes are found.

Triage and response

  1. Investigate the IP activity and validate that it is legitimate.
  2. Flag transactions from this IP for advanced review and require a captcha to perform payment until the attack is over.
  3. Consider blocking the IP to slow down the attacker.