The sale of fraudulent gift cards has become a booming business, thanks to the lax security measures employed by most issuers, and the fact that, as unsecured products that function much like cash, using them is relatively anonymous—and low risk.
According to Flashpoint, gift card fraud has evolved from a great way to launder stolen credit cards to selling unused gift balances online from legitimately-purchased cards.
The firm noted that towards the end of 2015, cyber-criminals who were selling gift cards purchased with stolen credit cards started to see their cards being declined and their clients demanding refunds. Thus, these so-called “carded” gift cards were no longer viable. Instead, they now focus on selling unused balances as “eCards.”
According to Flashpoint sources, many gift cards are numbered sequentially. So, once a cyber-criminal knows the numbering convention, cyber-criminals can then test possible gift card number combinations on the targeted business’s gift card balance checker. To make this lucrative—i.e., scalable—many criminals have developed automated ways to do this.
“Indeed, some cyber-criminals have been known to develop bots that automate the process of checking gift card number combinations,” the firm noted. “Gift card balance-checking sites require users to enter a gift card’s number to view the card’s balance. Though sites appear to require associated personal identification numbers (PINs) to check gift card balances, many gift card PINs are inconsequential and not validated by any gift card authority. As a result, any random PIN can be entered, enabling cyber-criminals to easily view a card’s balance.”
A perfect example of this is GiftGhostBot, which tests a rolling list of potential gift card account numbers at a rate of 1.7 million gift card numbers per hour, according to Distil Networks. Its security analyst team in March noticed increased bot activity on customer websites with gift card processing capabilities. It uncovered that GiftGhostBot is being distributed across worldwide hosting providers, mobile ISPs and data centers, executing JavaScript to avoid detection. On one customer website, the analyst team recorded 4 million bad bot requests per hour—nearly 10 times their normal level of traffic.
Once hackers correctly identify gift card numbers with this brute force-like approach, they can resell the account numbers on the Dark Web or use them to purchase goods. The majority of cards are marked down to roughly 30% of their face value, though cyber-criminals attempting to undercut the competition may offer cards for as little as 5% of their value, Flashpoint noted.
“Given the popularity of non-carded gift cards among cyber-criminals, cyber-criminals with strong methods for obtaining valid gift card information can quickly rise to prominence in the cyber-criminal underground,” the report said. “This, combined with poor security measures surrounding gift cards, led Flashpoint analysts to anticipate that this type of fraud will continue to increase.”