Brazilian Crime Syndicate Cardwashing Attack

Brazilian Crime Syndicate Cardwashing Attack


As a payment transaction company processing millions of commercial transactions each day, ensuring the security of payment data is a fundamental business requirement.

Cybercrime involving fraud, specifically payment card fraud has increased dramatically, perpetuated by the increasing popularity of e-commerce and online shopping. Organised crime groups have shown significant innovation and diversity in their strategies to monetise their illegal activities.

This payment processor was undertaking their annual PCI audit and concurrently releasing new features to meet the Reserve Bank of Australia’s Cost of Acceptance mandatory reporting requirements. Given the architectural complexity, the entire development team were working on implementing this new feature.

The operations team noticed a high number of failed transactions. An investigation uncovered a Brazilian fraud group had begun to use existing business logic to validate card details, the Primary Account Number (PAN), expiry and CVV/CV2 combinations.

With the development team fully engaged in other activities and the pressing need to fix business logic security vulnerabilities, they contacted RedShield.



After reviewing the application logs RedShield were able to identify the threat actors and characterise the tactics and techniques used to effect the attack.

RedShield built, tested, and deployed custom shields to protect the processors payment interfaces from attack. By inspecting the application responses RedShield was able to implement an adaptive algorithm that blocked card washing attacks whilst not affecting legitimate traffic.

To assist the processor’s security operations, RedShield designed custom reporting dashboards in Splunk to identify affected merchants and further highlight potentially fraudulent transactions.


“RedShield’s ability to understand our applications, our architecture, and mitigate their ever changing attack meant we could meet our business objectives without sacrificing the security of our users’ card details.”



RedShield were able to deploy standard mitigations to slow the attack while custom shields were built, tested and deployed over 72 hours. The newly developed shields were 100% automated, requiring no maintenance by operational staff. Cardwashing attacks continued for several days however were closely monitored and thwarted by RedShield. Cardwashing operations ceased approximately 7 days later. Further log analysis revealed multiple attempts to bypass the custom shields but were all unsuccessful.

With RedShield’s assistance the payment processor was able to meet its delivery deadline, mandatory compliance requirements, and successfully defend itself from what would have been a devastating attack.

May 21, 2020