Warning as cyber-criminals target NZ charities

Photo / Richard Robinson

Cyber-criminals have targeted two New Zealand charities in automated attacks attempting to validate large numbers of stolen credit cards.

Internet watchdog NetSafe this morning warned charities taking online donations to be alert after the attacks on the two organisations, which it did not name.

In the first incident, almost 50,000 attempts were made to rapidly submit fake donations through a website form with the aim being to test which credit cards could be used for subsequent online fraud or sold on to other internet scammers.

More than 2000 successful donations were made resulting in the charity having to enlist the help of their bank and merchant account provider to refund the fraudulent payments.

They also spent time dealing with enquiries from cardholders around the world questioning the transactions.

A second incident yesterday saw another charity website hit with 11,000 payment requests resulting in more than 250 donations to their bank account.

In both cases, the automated attacks had been launched from a Brazilian IP address and NetSafe is encouraging charities and other small businesses that take payments online to take steps to secure their websites and contact their bank or payment provider about ways to prevent online fraud.

NetSafe digital project manager Chris Hails said credit card fraud was an ongoing issue for any organisation which accepted payments over the internet.

"The American security company PhishLabs warned that charity websites were being targeted by cyber criminals to validate stolen cards in November last year and they believe that these smaller organisations have fewer internet defences in place than larger retailers and are thus an easy target," he said.

"Being the target of such an attack can mean hours of staff time cleaning up afterwards and could potentially cost your organisation money or find you blocked from taking future donations online."

The warning comes just a week after New Zealand's Banking Ombudsman predicted that complaints to her office about scams would increase in 2015.

Auckland-based NetSafe recorded more than 8000 incidents in 2014, including a wide range of cyber security issues ranging from phishing attempts to ransomware.

Mr Hails said monitoring any payments received was an important way for organisations to detect fraud on their website.

"Be on the lookout for a series of small donations for odd values or random amounts. Real people tend to donate whole dollars -- $20 rather than $4.73."

Protect your business online

NetSafe offers the following advice for charities and website owners:

- Talk to your bank or merchant provider about how their payment systems can be used to protect against online fraud

- Talk to your website developer, IT staff or a security specialist about ways to protect your site and any payment forms you host

- Use a CAPTCHA on your web form or require an account be created

- Limit transaction volumes or website sessions by IP address or pre-screen payments from high risk countries if you are seeing fraudulent attempts to donate

- Consider monitoring traffic volumes to your website.

*If your website has been targeted by credit card fraudsters speak with your bank or merchant provider. You can also contact NetSafe via their freephone telephone number 0508 NETSAFE or report an incident online at www.theorb.org.nz.