Please help!!! Over 265,000 fraudulent constituent accounts created in less than a month

Hi Erin,


Have you reach out to your customer success manager/project manager to discuss this?  This sounds like someone created a script to create constituent records to test out credit cards.


-David

Hi,


How about your Blackbaud Project Manager? Do you have retainer hours? If so, you can put this as a request which will come with a charge. What merchant account do you use? BBMS?


-David Arocha

Erin, we deal with this near daily however often see it 'big spurts' - here's what we have done and do.

1. Captcha - not going to help - at least not us. There is a known bug in the BB API which will bypass captcha hence updating your websites pages (at least for us) did nothing to resolve. If the 'bad people' are good, and they are, they are not actually scrapping your pages, they are using an API.

2. We download all BBMS transactions daily to look for patterns of non-approved transactions - these are easy to spot and you will quickly notice common patterns. Based on the patterns we have reports generated and remove the constituents from LO as well as RE.

3. To prevent the risk of a CC being inappropriately charged (i.e. a 'bad person' getting lucky with the right info and confirming a cc is good) we do have BBMS confirm each transaction against a BBMS calculated confidence/score level.  Based on the score the transaction will be automatically declined regardless.  

4. Lastly, if you manage events via LO make sure you close your event(s) when they are over - we have found this is an easy way to stop a lot of the transactions.


Yes, the above is reactive but we find the fraudulent transactions within 12-24hrs and clean them up - it works for us.

 

Here's an example of how the BC SPCA integrated bot protection- they were dealing with the same thing in terms of fraudulent transactions!  The site uses an application level firewall with a known network of bots auto banned (they went with WordFence since they're on WordPress), a honeypot trap for scripts that fill out common fields, a time calculation system that detects how long it took to fill in the form, and a detection system that bans bots if they fail to submit the form too many times.

https://spca.bc.ca/donations/make-a-donation/


 

Philip Nawrocki‍, to my knowledge there isn't anything on the roadmap for improving CAPTCHA. There is a feature request in our Ideas Portal that is still open for voting:

https://luminateonline.ideas.aha.io/ideas/LUM-I-1164


Best regards,

Trent Roberts

Customer Support

M Oconnell, when we experienced this late last year our credit card processor was the one who actually warned us of what was happening. Along with being able to block IP addresses from suspect countries they also have functionality that allows you to block credit cards based on BIN numbers. We have blocked cards issued by banks in all the suspect countries like Brazil, Bulgaria etc. Of course this does not help with stolen Canadian, European or US credit cards but it does help some. We found that we just had to tough it out and delete all of the identified records as soon as we found them.


Robert

I've also created this idea - please vote for it here: https://luminateonline.ideas.aha.io/ideas/LUM-I-1730 

 

Do not create an active constituent record when it results from failed transaction

In order to determine if a transaction is fraudulent, LO first has to create a constituent record so the information can be sent to the merchant account. I propose making a product change so that the system not create an *active* constituent record.

Why? Active constituent records sync over to other database systems (offline CRM, mobile vendor, etc.) AND active constituent records receive email. When the data is bad, such as via a carding run, it takes staff time to identify said records, and then remove/clean the data across multiple systems. If not addressed, it can have negative downstream effects, such as impacting email deliverability and inflating direct mail costs.

This issue impacts organizations large and small. Large organizations sometimes are able to dedicate the resources to clean the data; small most often are not. 

 

> since records can never truly be deleted from Luminate, we do now have close to 380,000 records that are "marked as removed."


This sort of thing is such a bummer with LO.


I understand the reasoning, but our instance has been running since 2008. I think we have more junk than real content at this point.


BPM

"This was because Support thought it likely the bad guys had actually made a "shadow form" from our original, and were using it to card-test."


I always imagined some kind of macro or script like GreaseMonkey which they run against the forms we host. But if they scrape their own front end form they can strip out all the UI and validation, and just make it a posting machine.


I wonder how that works across domains though.


BPM

We used Digital Resolve during a recent carding run. Highly recommended as we shut off allowing of transactions from specific regions as time wore on. It cut off a source of fraud completely. A few days later we turned it back on and had no issues. Also try to adjust your Luminate PD settings to allow AVS/VVT. 


Your tactics will be different from others' due to the nature of attacks.


 

That's great to hear. but the Luminate PD settings do no work, since we have IATS. IATS, did not have AVS or VVT, surprisingly and let all the fraud go thru and crashed.

IATS was the worst, to a comical extent. We changed our hospital name, and they absolutely refused to update it in their system no matter who we spoke with. Several people told us it was simply not possible. This is the donor facing name I'm talking about here. Crazy.


BPM

One thing to note about implementing Digital Resolve -- if you are using the Facebook Fundraisers integration in TeamRaiser, there is some additional setup required if you are using Digital Resolve. You must whitelist the IP addresses used for Facebook Fundraisers, or else Digital Resolve may unintentionally flag the transactions as fraud.

Raj - not sure who answers that question, but I'll send along my answer:  We use PayflowPro.   And that brings up another "valve" to stop fraudulent transactions - If LO's AVS settings aren't cutting it, you can consider Fraud services usually provided through your payment processor. In our instance, PayflowPro has add-ons for a fee that include Advanced Fraud Protection and Buyer Authentication. We haven't used it but its knowing whats there -- and if there's a "shut off anytime" mechanism, its something you might want to dry-run the set up to have it available on demand, because Fraud is always going to happen.