How does an e-gift card attack happen and what can you do to protect against them?
In our previous blog, we talked about e-gift card bot attacks, what they are and what drives them. In this blog, we will elaborate on the anatomy of an attack, including an inside look into what tools and techniques are used. We will also discuss how to protect your web and mobile applications from these attacks.
In the last blog, we discussed two main types of e-gift card attacks: e-gift card cracking and account takeover (ATO) based e-gift card attacks. When comparing these, we’ve seen that ATO based e-gift card attacks are both more common and have better success rates than cracking attacks. This success rate also has something to do with the recent total increase in ATO attacks during the COVID19 pandemic, such as the attack on Tesco, and massive data breaches on services that became more popular during this time, such as Nintendo and Zoom. These attacks are also usually harder to detect and are more dangerous, since they are conducted by experienced and sophisticated cybercriminals.
Cybercriminals who conduct e-gift card attacks are usually very knowledgeable and experienced black-hat hackers who are familiar with a wide variety of tools and techniques. These tools make them more efficient and harder to detect and block. Let’s look into some of the tools and methods they use for these attacks.
(Disclaimer: These attacks are illegal and we do not condone them. The following details are intended to aid in attack mitigation.)
Anatomy of ATO based e-gift card attacks
Most e-gift card attacks launch an ATO attack first to ensure success. Here is the typical anatomy of such attacks:
First, the attackers acquire a decent combo-list of usernames and passwords, preferably validated, and that contains accounts with a gift card balance. Second, to protect themselves from bot-protection solutions, they route traffic through multiple proxies/IP addresses to create a distributed attack. Some of the attackers scale the attack using out-of-the-box credential stuffing tools. These automated attack tools are widely available in the dark web.
Now, let’s get some more visual idea of how these stages look and dive into the details.
Combo-lists: usernames and passwords
In preparation for the attack, cybercriminals scrape, or more commonly buy, a bulk list of accounts—usernames and passwords—to validate them. These lists or data dumps from other hackers are very long and can contain tens of thousands of accounts for very low price. A major source of these combo-lists is data breaches of different websites as we elaborated on in this whitepaper.
In the image below you can see an example of how these lists look when they are for sale:
[An example of a list of stolen accounts for sale]
Proxies and IPs
While proxies can be scraped for usable IPs, relatively easily for free, most attackers would prefer buying a reliable list of proxies. The reason is that the free proxies have a higher probability of being used before, and therefore are probably included in denylists and flagged on common threat intelligence feeds to be automatically blocked. The proxies that are sold, however, are usually residential proxies and IPs that “go under the radar” for basic bot blocking techniques.
At this link you can find an example of a proxy service provider (see screenshot below).
[A screenshot of a service that sells residential proxies]
E-gift card out-of-the-box attack tools
Not only are the number of out-of-the-box tools available for e-gift card bot attacks increasing with time, but also they are getting easier to get and use. These tools like Snipr, Let’s Brute It and OpenBullet are widely available in the market. Similar tools are being used for ATO, Carding, and Denial of Inventory and Scalping bot attacks. These tools can be found in different hacking forums (not necessarily on the darknet). The basic tools are usually given for free, but some tools provide options of open source configurations for different websites for an additional cost. An example of an open source repository of configuration for Snipr can be found in this link.
In the image below you can see screenshots of two tools: OpenBullet (taken from this youtube video) and Snipr:
[Account validated successfully on OpenBullet]
[A whole code of an e-gift card ATO attack configuration using Snipr tool]
Monetization of e-gift card attacks
After preparing all the “ingredients” and conducting the attack, the last stage would be monetization—or simply put, making money out of it. If it’s a basic ATO attack the breached accounts can be sold on multiple marketplaces since a validated breached account can be sold for up to $45. Abusing the account for e-gift cards is done either by using an existing balance or by buying e-gift cards using the account information if possible. The monetization can be done in three main ways:
- Use the stolen gift card balance for purchases
- Use the account balance to buy e-gift cards and sell them on secondary markets
- Convert e-gift cards into cash on dedicated platforms such as cardcash.com
In the image below you will find an example of stolen e-gift cards for sale:
[Stolen e-gift card for sale online]
Real-world E-gift Card Attacks
Amongst the brands protected by PerimeterX, we saw e-gift card attacks stay fairly steady in the e-commerce vertical, however, since the COVID-19 lockdown started we saw a skyrocketing increase of 820% in such attacks, mainly in online food delivery services.
In the graph below the blue line represents the legitimate traffic on e-gift card pages of multiple large online businesses, and the red line is the malicious automated traffic.
[E-gift card pages traffic - aggregated data of multiple large e-commerce and online food delivery brands]
Looking at specific attack data, we can recognize different patterns and characteristics of e-gift card attacks. While some attacks are short and concentrated, other attacks are “low and slow,” with spikes from time to time. The sophistication of the attacks also varies, when some of the attacks tend to be more primitive or opportunistic, while other attacks are highly sophisticated, mimicking human behavior and being “custom made” for the targeted application and its specific bot protection.
In one example, a sophisticated e-gift card attack on a top five US retailer lasted around two months—a very long time for a massive bot attack. During this time, tens of thousands of requests to e-gift card pages were malicious.
[A massive e-gift card attack on a top five US retailer]
Another interesting case is a top ten travel brand. This company’s e-gift card page was attacked recently, when the malicious traffic spiked, and reached up to 99% of the total traffic to the e-gift card page.
[E-gift card attack on a top ten travel brand]
The next graph shows the traffic on the e-gift card page of a well known food delivery service. It is easy to notice the high numbers that show the booming demand, and it is also clear that the malicious traffic follows this demand and is fluctuating between 12% to 30% during attack times.
[Top food delivery service e-gift card traffic]
E-gift card bot attacks are often hard to detect. Most of these attacks are conducted using botnets that are highly distributed and use multiple IP addresses, multiple ASNs and many different devices. The result is attacks that mimic human behavior and are complicated to detect and block.
In the graph below we see the distribution of IP addresses for the massive attack on the same top five US retailer shown earlier. The number of different IPs that were used for this attack is in the thousands. Additional behavior patterns that are monitored by the PerimeterX research team indicate that the attackers also tried to manipulate and bypass the bot protection. This shows a high level of expertise and experience of the attackers.
[Top five US retailer e-gift card malicious traffic and unique IPs]
As the usage of e-gift cards increases, so do e-gift card attacks and the diversity of tools and techniques they use. This increase in e-gift card attacks has a significant impact on digital businesses, as we discussed in our previous blog.
Here are our recommendations for web or mobile application operators or owners with an e-gift card program:
First and most important - generate your e-gift card numbers to protect against emulation and guesswork. To prevent cybercriminals from stealing e-gift cards and emptying balances, make it harder for them. Simple or similar combinations of digits and characters are easily guessed by basic algorithms used for card cracking. If you choose to work with a third party vendor for producing e-gift cards, always conduct proper due diligence, especially regarding the vendor’s information and data security.
Second, with bots improving constantly and mimicking user behavior, web and mobile application owners should pay more attention to advanced automated threats. That includes closely monitoring application traffic and specifically traffic patterns on e-gift card related pages.
Next step would be considering the implementation of technology solutions to mitigate sophisticated and hard to detect e-gift card bot attacks.
The PerimeterX research team continuously investigates e-gift card attacks and all automated bot attacks to understand how they work and stay ahead of cybercriminals. The research team can predict the attackers’ next moves and provide the intelligence needed for protecting the leading and most reputable websites, mobile applications and APIs from sophisticated bot attacks.