On July 4th, many Americans barbeque, watch baseball and go to fireworks shows. In 2020, U.S. consumers added a new ritual to that list - get targeted by bad actors seeking to scam them out of their online gift card balances. For the first time ever, we tracked a significant “credential stuffing” attack leading up to and over July 4th. Cybercriminals obtained validated password and username combos from the Dark Web. The fraudsters used them for attacks across a broad range of online sites such as home goods and clothing. The authentication of an account with a valid password and username pair gave the cybercriminals unauthorized access to online gift card accounts. We believe the cybercriminals were counting on the tendency of people to reuse the same username or email and password across multiple sites, a well known cyber security flaw. They were betting that some of those accounts held significant card values. As you can see from the chart below, the patriotic holiday attracted a nasty spike of egift card bot attackers.
Figure: July 4th e-gift card bot attack (in red).
What’s more, the July 4th cybercrime spree was not even an outlier. At PerimeterX we are seeing spikes in these types of carding attack and gift card scams on every significant holiday, including Memorial Day, Mother’s Day, Father’s Day, Thanksgiving and Valentine’s Day.
Figure: Memorial Day e-gift card bot attacks (in red).
In our analysis, every major holiday is now a gift card hacking day for scammers looking to make money through gift card hacks on shoppers. This is logical - the hackers are going where the money is and the money has flooded into online gift cards. Many retailers are reporting monthly sales and traffic on their digital properties that rivals the peaks a retailer’s website sees during Black Friday and CyberMonday. In other words, security, risk, and digital operations teams should assume that every holiday going forward could potentially generate a bot attack on their properties.
Pandemic Accelerates Rise of E-Gift Cards
On the rise even before COVID, the pandemic has turbocharged egift card growth. According to InComm’s 2020 Consumer Pulse: Gift Cards Report, online purchases of gift cards more than doubled in the first two quarters of 2020 versus the previous period. This compared to 24% year-over-year growth for the same period in 2018 to 2019. Egift cards are not just for gifting either. According to a July 2020 survey released by branded digital payments provider Blackhawk Network, purchases of digital gift cards are equally likely to go to the purchaser as to be given as a gift. Aside from avoiding the malls and stores, those who purchased the cards for others did so in part because the cards can be sent and received immediately, with less hassle. Driven by the pandemic, smaller and boutique brands are increasingly looking to online gift cards as a way to encourage shoppers to spend money on friends and loved ones without sending them any physical items.
Four Ways Hackers Can Cash In Digital Gift Cards
Hackers love to steal online gift cards and gift card balances because gift card security is less comprehensive than the deeper scrutiny facing credit card transactions. Gift card account owners are less likely to notice changes to their gift card balances. In addition, security measures on unactivated gift cards are less stringent. Gift card pin numbers are comparatively easy to guess, too. All of this makes selling validated accounts with gift cards, or draining the gift card accounts by, ironically, sending an unauthorized gift card, easy money. The four ways that hackers use gift cards to cash in are:
- Use the stolen gift card balance for purchases
- Use the account balance to buy egift cards and sell them on secondary markets
- Convert egift cards into cash on dedicated platforms such as cardcash.com
- Sell a validated password / username pair for a card holder for up to $45 on the Dark Web
We estimate the market for stolen gift cards and theft using unauthorized digital gift cards is well into the billions of dollars each year. Sales of stolen gift cards is now an open practice, easy to find with search engines like Google. There are even organized web marketplaces on the Dark Web with websites that look like legitimate markets, where sellers can unload stolen gift cards and buyers can pick up stolen gift cards for big discounts from the card’s face value. A quick Google search yields dozens of web pages that sell all types of hacked cards, including valuable VISA gift cards and Amazon gift cards. Criminals often request payment in cryptocurrencies like BitCoin or Ethereum that are difficult to trace.
Figure: Example of a marketplace in the Dark Web which offers thousands of different e-gift cards for low prices.
Figure: Example of a seller which offers “verified” e-gift cards of known brands. The payment occurs via untraceable cryptocurrencies such as Bitcoin and Etherum.
E-Gift Card Attacks Growing More Frequent, Sophisticated
As more business has moved online with the great pandemic digital transformation, attackers have shown increasing sophistication in e-gift card fraud attempts. Today we commonly find well-organized technology stacks behind these attacks, making e-gift card bot attacks hard to detect. Most attacks are delivered via massive botnets designed to avoid detection. The botnets are highly distributed: they use multiple IP addresses, multiple ASNs and many different devices.
Figure: Valentine’s Day e-gift card bot attacks (in red).
The bots themselves are designed to behave like humans, solving CAPTCHAs and moving around a website or accessing an API in what to the naked eye might look like a very normal behavior pattern. As a result, the attacks are hard to distinguish from human behavior and security teams that block bots too aggressively or cannot detect the subtle behavioral differences will by mistake block normal customers.
Ways to Block E-Gift Card Holiday Attacks
Here are four key considerations in blocking these attacks.
- Randomly generate e-gift card numbers to protect against emulation and guesswork. Simple combinations of numbers and digits are easy to guess. Hackers now have tools that can do this quickly.
- Especially around holidays, closely monitor application traffic patterns to e-gift card related pages. Even small increases in traffic above seasonal trends many indicate an attack is underway.
- Adopt newer types of challenges to replace CAPTCHA that are harder for bots to solve. These challenges are actually simpler for humans and less likely to block conversions. An example is asking the human to roll a ball with an image inside of it so the image faces up.
Consumers and online businesses enjoy the benefits of e-gift cards, but the rising threat of bot attacks on e-gift cards, especially during holidays, casts a shadow over this lucrative payment channel. E-gift card theft hurts customer trust, impacts revenue and imposes unnecessary costs on the business. When an attack happens, security, risk and operations teams can spend considerable energy, time and money remediating security issues. Business and support teams can spend weeks contacting impacted customers and arranging to make them whole. And Marketing and PR teams will need to mount efforts to counter bad press and protect the brand. Putting in place proactive steps to block e-gift card attacks is no longer something businesses think about once a year to prepare for Cyber Monday - because now, every holiday is open season for e-gift card attacks.
Related resources about carding:
Calculator: Calculate the Cost of Bot-Driven Carding Fraud