By Yossi Barkshtein
On July 4th, many Americans barbecue, watch baseball and go to fireworks shows. In 2020, U.S. consumers added a new ritual to that list - get targeted by bad actors seeking to scam them out of their online gift card balances.
For the first time ever, we tracked a significant “credential stuffing” attack leading up to and over July 4th. Cybercriminals obtained validated password and username combos from the Dark Web. The fraudsters used them for attacks across a broad range of online sites such as home goods and clothing.
We estimate the market for stolen gift cards and theft using unauthorized digital gift cards is well into the billions of dollars each year. Sales of stolen gift cards is now an open practice, easy to find with search engines like Google and Bing.
Stolen gift cards for immediate purchase
Taking advantage of the fact that the balances of the gift card accounts of many Americans are high around July 4, hackers, are breaking into and emptying these accounts. We believe the cybercriminals count on the tendency of people to reuse the same username or email and password across multiple sites, a well known cyber security flaw. As you can see from the chart below, the patriotic holiday attracted a nasty spike of egift card bot attackers.
What’s more, the July 4th cybercrime spree was not even an outlier. At PerimeterX we are seeing spikes in these types of carding attack and gift card scams on every significant holiday, including Memorial Day, Mother’s Day, Father’s Day, Thanksgiving and Valentine’s Day.
July 4th e-gift card attacks (in red)
In our analysis, every major holiday is now a gift card hacking day for scammers looking to make money through gift card hacks on shoppers. This is logical - the hackers are going where the money is and the money has flooded into online gift cards. Many retailers are reporting monthly sales and traffic on their digital properties that rivals the peaks a retailer’s website sees during Black Friday and CyberMonday.
In other words, security, risk, and digital operations teams should assume that every holiday going forward could potentially generate a bot attack on their properties.
Memorial Day e-gift card attacks (in red)
Pandemic accelerates rise in use of e-gift cards
On the rise even before COVID, the pandemic has turbocharged egift card growth. According to InComm’s 2020 Consumer Pulse: Gift Cards Report, online purchases of gift cards more than doubled in the first two quarters of 2020 versus the previous period. This compared to 24% year-over-year growth for the same period in 2018 to 2019. Egift cards are not just for gifting either.
According to a July 2020 survey released by branded digital payments provider Blackhawk Network, purchases of digital gift cards are equally likely to go to the purchaser as to be given as a gift. Aside from avoiding the malls and stores, those who purchased the cards for others did so in part because the cards can be sent and received immediately, with less hassle. Driven by the pandemic, smaller and boutique brands are increasingly looking to online gift cards as a way to encourage shoppers to spend money on friends and loved ones without sending them any physical items.
How do the attackers exploit the gift cards to make big profits?
In Israel, like in America, the COVID-19 crisis has brought about an increase by hundreds of percent in online transactions, especially ones for ordering food from restaurants and acquiring products from supermarket chains. The increase in online transactions brought with it an increase in digital fraud. It seems that hackers do not hesitate to take advantage of the growing use of credit cards online, and of gift cards, to steal the money of innocent citizens in Israel as well.
Hackers love to steal online gift cards and gift card balances because gift card security is less comprehensive than the deeper scrutiny facing credit card transactions. Gift card account owners are less likely to notice changes to their gift card balances. In addition, security measures on unactivated gift cards are less stringent. Gift card pin numbers are comparatively easy to guess, too. All of this makes selling validated accounts with gift cards, or draining the gift card accounts by, ironically, sending an unauthorized gift card, easy money.
The four ways that hackers use gift cards to cash in are: use the stolen gift card balance for purchases; use the account balance to buy egift cards and sell them on secondary markets; convert egift cards into cash on dedicated platforms such as cardcash.com; and sell a validated password / username pair for a card holder for up to $45 on the Dark Web.
There are even organized web marketplaces on the Dark Web with websites that look like legitimate markets, where sellers can unload stolen gift cards and buyers can pick up stolen gift cards for big discounts from the card’s face value. A quick Google search yields dozens of web pages that sell all types of hacked cards, including valuable VISA gift cards and Amazon gift cards. Criminals often request payment in cryptocurrencies like BitCoin or Ethereum that are difficult to trace.
A Dark Web marketplace for stolen e-gift cards
As more business has moved online with the great pandemic digital transformation, attackers have shown increasing sophistication in e-gift card fraud attempts. Today we commonly find well-organized technology stacks behind these attacks, making e-gift card bot attacks hard to detect.
Most attacks are delivered via massive botnets designed to avoid detection. The botnets are highly distributed: they use multiple IP addresses, multiple ASNs and many different devices.
The bottom line: consumer advantages, cyber dangers
Consumers and online businesses enjoy the benefits of e-gift cards, but the rising threat of bot attacks on e-gift cards, especially during holidays, casts a shadow over this lucrative payment channel. E-gift card theft hurts customer trust, impacts revenue and imposes unnecessary costs on the business. When an attack happens, security, risk and operations teams can spend considerable energy, time and money remediating security issues.
Business and support teams can spend weeks contacting impacted customers and arranging to make them whole. And Marketing and PR teams will need to mount efforts to counter bad press and protect the brand. Putting in place proactive steps to block e-gift card attacks is no longer something businesses think about once a year to prepare for Cyber Monday - because now, every holiday is open season for e-gift card attacks.
The writer is a cyber threat researcher at PerimeterX.