Bot attacking gift card accounts

Your gift card might not be worth anything

amazon gift cards
Mike Mozart (Creative Commons BY or BY-SA)

It's the gift that keeps on giving for cybercriminals. The accounts connected to gift cards are being wiped out as quickly as a teenager with cash at a shopping mall.

Luxury retailers, supermarkets, and major coffee distributors with gift card processing capabilities are all the target of a new widespread cybersecurity attack.

Hackers are using a bot, dubbed GiftGhostBot, to test a list of potential gift card account numbers at a rate of 1.7 million gift card numbers per hour. It is believed that once they correctly identify gift card numbers, they are draining balances for resale on the dark web. On one retail customer site, there have been peaks of over 4 million requests per hour, nearly 10 times their normal level of traffic.

The company that identified the attack, Distil Networks, has tracked activity on nearly 1,000 customer websites. In several instances, over half of the traffic on the website was on the gift card page alone, indicating a very targeted attack. 

Fraudsters are using automation to test a list of potential account numbers and requesting each balance. If successful in obtaining the balance, fraudsters can resell the account number on the dark web or use them to purchase goods. Distil wrote on its site: "If the balance is provided, the bot operator knows that the account number exists and contains funds. For a cyber thief, the beauty of stealing money from gift cards is that it is typically anonymous and untraceable once stolen."

GiftGhostBots are being distributed across worldwide hosting providers, mobile ISPs, and data centers, executing JavaScript to avoid detection.

"Like most sophisticated bot attacks, GiftGhostBot operators are moving quickly to evade detection, and any retailer that offers gift cards could be under attack at this very moment," said Rami Essaid, CEO of Distil Networks. "While it is important to understand that retailers are not exposing consumers' personal information, consumers should remain vigilant. Check gift card balances, contact retailers and ask for more information. In order to prevent resources from being drained, individuals and companies must work together to prevent further damage."

According to Distil: If you have tried to check your balance on a gift card recently, you may have noticed that many retailers could not provide you with that information online. Instead, you received a message to contact customer service by phone. This is done because gift card payment processes on websites are under sustained attack from sophisticated bad bots trying to defraud people from the money loaded onto a card.

Distil said consumers' personal identifiable information is not at risk in this scam. The research company recommends consumers check their gift card balances regularly, and use the gift cards frequently and if they see this kind of activity to contact authorities.

Have you had this same experience? Head to Facebook to add your comment.

Related:
SUBSCRIBE! Get the best of CSO delivered to your email inbox.