‘Tis the Season: How Cybercriminals Perpetuate Gift Card Fraud

Two months ago, Fan Xia, a 29-year-old research assistant from UW-Milwaukee’s engineering department, was arrested for laundering more than $300,000 via an international scheme involving gift cards. According to the criminal complaint, Xia would receive gift card information from scammers in India, use that information to buy iTunes and Google Play gift cards, and then scratch off the codes and forward the information to another set of individuals in China.

The case is hardly unusual — fraud leveraging gift cards has become more the norm than the exception — but it does highlight several ways in which criminals typically exploit gift cards:

  • Police were tipped off to the fraud ring after a Wisconsin man reported that a caller impersonating the IRS requested he pay via gift cards $4,987 in back taxes, which is the exact type of gift card scam the IRS has been warning about the past couple years.
  • The man fell for the scam and bought three Target gift cards, two worth the maximum $2,000 and one worth $987. Those cards were then used to launder the scammed money via numerous iTunes and Google Play gift cards allegedly purchased by Xia. Police said Xia had taken pictures of the scratched-off codes of approximately 6,100 such cards over an 11-month period, totalling $305,000.
  • The victim who was duped by the IRS impersonator grew suspicious and tried to cancel the cards after providing the scammers the information, but the active gift cards were quickly used by Xia, who was allegedly buying up to $3,000 worth gift cards a day with the data from India.
2017-10-25_CashOut
Malicious actors use gift cards for a variety of purposes, including cashing out stolen credit cards. This guide on a Dark Web market claims to walk fraudsters through 10 steps of that process.

As the holiday season grows closer, there will likely be renewed warnings for both consumers and organizations about similar scams. The gift card market has grown to become a $140 billion dollar industry, and the average consumer will purchase at least two gift cards during the holidays. However, those gift cards remain relatively insecure compared to traditional payment cards, and cybercriminals will likely continue to exploit those weaknesses as consumer activity ramps up in the coming months.

How Cybercriminals Exploit Gift Cards

To use money on a gift card, fraudsters need the card code or number and, in some instances, the associated PIN. In the case involving Xia, he is alleged to have bought and scratched off the iTunes and Google Play codes himself to help launder money originally stolen from phone scam victims. However, there are several methods in which fraudsters can gain access to gift card codes without paying for them.

2017-10-25_GiftCards
Walmart gift cards have a 16-digit card number and PIN, whereas iTunes gift cards have a 16-digit alphanumeric code.

The most straightforward method for fraudsters to get codes off of physical gift cards is by simply grabbing a stack of inactive cards, which tend to be easily accessible at most stores. If the cards use magnetic strips, the card data may be stolen and cloned with a magnetic stripe reader/writer. If the cards use redeemable codes, fraudsters can scratch off the codes, copy them, and then replace the scratch-off label. Some companies don’t even bother hiding gift card numbers behind a scratch-off since they’re not usable until purchased, which makes it even easier for fraudsters to steal the data.

The fraudsters then return the cards for legitimate consumers to purchase — without knowing that the card numbers or codes they are buying are already in the possession of malicious actors.

2017-10-25_ScratchOffLabels
Replacement scratch-off stickers, magnetic stripe readers, and other legitimate tools that can be repurposed for fraud are easily purchased on sites such as Amazon and eBay.

That method, though simple, is pretty difficult to scale. Larger fraud operations tend to leverage technology, along with weaknesses in gift card security, in order to automate the compromise of gift cards.

Professional pen-tester Will Caput recently gave a presentation on how he was able to exploit the patterns of various organizations’ gift cards in order to brute force his way to discovering active card numbers. For example, Caput noticed that the gift card numbers one Mexican restaurant used were identical except for one incrementing number and the randomized last four digits. He told Wired that he could target the website used to check gift card balances with the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the last four random digits in about 10 minutes. Rinse and repeat that process via the incrementing number and a fraudster can easily generate a large number of active cards to use or to sell via cybercriminal markets.

In fact, cybercriminals used a similar approach earlier this year with GiftGhostBot, which was detected performing automated attacks against nearly 1,000 customer websites in order to check millions of gift card numbers for active cards.

Attacks like GiftGhostBot have led some companies to disable their gift card balance-check websites — or to implement CAPTCHAs and other measures to combat automated attacks. Unfortunately, many gift cards remain vulnerable to simple attacks, and cybercriminals continue to shift their attention towards gift cards as traditional payment cards become more secure due to the adoption of EMV and other fraud-prevention tactics.

Many of those compromised gift cards are then bought, sold, and traded on dark web markets and other websites, a practice we’ll examine in the second part of this blog series.

Author: Jeff Peters

SurfWatch Labs editor and host of SurfWatch Labs Cyber Chat podcast. Focused on using threat intelligence and data visualization in order to bring cybercrime to life and help make organizations safer.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s