Carding Attack · Issue - Magento 2 API remote order guest-carts simulation script

... store has been the target of several carding attacks in the last few weeks, growing in intensity and sophistication. Thousands of credit cards (presumably stolen numbers) are tested using a single guest cart on my store.
https://github.com/magento/magento2/issues/28614

I was looking at API docs, then live shops checkout page and somehow created Magento 2.4.1 "carding attack" simulation script.

injecting orders from a remote server via API, with interception of the payment ID from the payment gateway (Stripe).

you can actually replace any payment method or gateway, all data can be easily captured from checkout page with chrome dev tools panel. many merchants are still flying high in the #cloud have no idea whats going on. but as a fact, you dont have to be on the #website to place the order. it can be fully automated ordering from different servers simultaneously.

"ghost" carts, fake quotes, abandoned cart reminders, unnecessary workload, trashing the database, cron job burden, etc ... a good way to test server fraud protection.

also nice place to create fake order is SWAGGER - module installed and enabled by default in every magento. or use chrome swagger plugin poin to rest api endpoint.

Script to place forged order remotely: https://gist.github.com/magenx/bdc56bf568caa3c23b2217055aef17b2

another bug is that order placed into incorrect store view id, making "Purchase Point" field empty, and actually ignoring all the security checks in magento and payment gateway.