Lucifer Decs first appeared in my life on August 14, 2022, a day that will live in infamy. I was minding my own business, attending a meeting of the Faison Preservation Society. This group to which I belong preserves and operates the historic N.W. Faison House in La Grange, Tx. Earlier in the year I installed an app on our website to help fundraise. A notice appeared in my email alerting me of multiple donations to us from one zip code.
Lucifer blessed us with donations nearly 6,000 times. You would think our group would love to get 6,000 payments at $5.00 each. But, alas, it was a carding scam. We didn’t get to keep the money, just had to clean up the mess. My life transformed into a living hell until August 25, 2022, when the law won.
What is a carding scam you ask?
Carding (also known as credit card stuffing and card verification) is a web security threat in which attackers use multiple, parallel attempts to authorize stolen credit card credentials. Carding is performed by bots, software used to perform automated operations over the Internet. Lucifer, it turned out, is a bot. Who knew?
And why do I call the machine Lucifer, you ask?
Because, when donating on a stolen card, he used the name Lucifer Decs with an email address of firstname.lastname@example.org. **** would rotate between numbers and letters with every $5.00 payment made.
And why do you call Lucifer a “he” you ask?
Surely a woman wouldn’t attack a small charity in such as fashion. (Before you assault me on this blog, please understand I realize this is as false an assumption as thinking I was safe from maundering robots. But I like to lead a delusional life. Besides, when I was young, “he” was the pronoun taught not “he/she” or simply “she.”)
And where does Lucifer live, you ask?
Obviously not in the underworld, although his soul should be rotting in hell. A bot blocker program traced his IP address to Helsinki, Finland. I suspect that was the last stop as it probably transferred from IP to IP until his venom spewed into the world.
What cleanup did you have to do, you ask?
Every time Lucifer hit the first five days, or so, he would get four or five charges through and then the card company would block him. I had to examine the 6,000 hits, find the ones that went through, and refund them. Then I had to delete the charges out of the system.
And how did the “law” win, you ask?
I would love to say that, as webmaster, my advanced technological expertise allowed me to immediately vanquish the devil. Unfortunately, I’m an amateur who thinks she knows enough to dabble in WordPress websites.
The credit card company told me to install reCAPTCHA, which I did.
What is reCAPTCHA you ask?
It’s the little thingies they put on the site like mark “I’m not a robot” or check all the pictures that have a stop light in them or write what letters you see.
Unfortunately, I was too unskilled in html coding to be able to put the reCAPTCHA in the correct place. If this over your head, don’t worry, its over mine, too.
I studied the internet, reading complex Shx$%#t about coding and poked around the back end of our website, trying things. Every time I thought Lucifer was dust, he’d appear the next day.
Then I installed the bot blocker plugin thingy but didn’t do it correctly. Lucifer gave it the slip, too. Curses. Foiled again.
Reluctantly, I asked one of our members who is a tech genius to stop by my house on our return from lunch. I owed him two meals because he had previously fixed my two malfunctioning computers; we were on our second outing. Taking advantage of others is not in my DNA. But desperate times call for desperate acts. Fortunately, he agreed. Amazing what a restaurant with fabulous ambiance and good wine can do.
He worked his tail off, eventually getting the bot blocker working, installing reCAPTCHA correctly, and blocking the IP address we had. It’s been quiet ever since.