Two months ago, Fan Xia, a 29-year-old research assistant from UW-Milwaukee’s engineering department, was arrested for laundering more than $300,000 via an international scheme involving gift cards. According to the criminal complaint, Xia would receive gift card information from scammers in India, use that information to buy iTunes and Google Play gift cards, and then scratch off the codes and forward the information to another set of individuals in China.
The case is hardly unusual — fraud leveraging gift cards has become more the norm than the exception — but it does highlight several ways in which criminals typically exploit gift cards:
- Police were tipped off to the fraud ring after a Wisconsin man reported that a caller impersonating the IRS requested he pay via gift cards $4,987 in back taxes, which is the exact type of gift card scam the IRS has been warning about the past couple years.
- The man fell for the scam and bought three Target gift cards, two worth the maximum $2,000 and one worth $987. Those cards were then used to launder the scammed money via numerous iTunes and Google Play gift cards allegedly purchased by Xia. Police said Xia had taken pictures of the scratched-off codes of approximately 6,100 such cards over an 11-month period, totalling $305,000.
- The victim who was duped by the IRS impersonator grew suspicious and tried to cancel the cards after providing the scammers the information, but the active gift cards were quickly used by Xia, who was allegedly buying up to $3,000 worth gift cards a day with the data from India.
As the holiday season grows closer, there will likely be renewed warnings for both consumers and organizations about similar scams. The gift card market has grown to become a $140 billion dollar industry, and the average consumer will purchase at least two gift cards during the holidays. However, those gift cards remain relatively insecure compared to traditional payment cards, and cybercriminals will likely continue to exploit those weaknesses as consumer activity ramps up in the coming months.
How Cybercriminals Exploit Gift Cards
To use money on a gift card, fraudsters need the card code or number and, in some instances, the associated PIN. In the case involving Xia, he is alleged to have bought and scratched off the iTunes and Google Play codes himself to help launder money originally stolen from phone scam victims. However, there are several methods in which fraudsters can gain access to gift card codes without paying for them.
The most straightforward method for fraudsters to get codes off of physical gift cards is by simply grabbing a stack of inactive cards, which tend to be easily accessible at most stores. If the cards use magnetic strips, the card data may be stolen and cloned with a magnetic stripe reader/writer. If the cards use redeemable codes, fraudsters can scratch off the codes, copy them, and then replace the scratch-off label. Some companies don’t even bother hiding gift card numbers behind a scratch-off since they’re not usable until purchased, which makes it even easier for fraudsters to steal the data.
The fraudsters then return the cards for legitimate consumers to purchase — without knowing that the card numbers or codes they are buying are already in the possession of malicious actors.
That method, though simple, is pretty difficult to scale. Larger fraud operations tend to leverage technology, along with weaknesses in gift card security, in order to automate the compromise of gift cards.
Professional pen-tester Will Caput recently gave a presentation on how he was able to exploit the patterns of various organizations’ gift cards in order to brute force his way to discovering active card numbers. For example, Caput noticed that the gift card numbers one Mexican restaurant used were identical except for one incrementing number and the randomized last four digits. He told Wired that he could target the website used to check gift card balances with the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the last four random digits in about 10 minutes. Rinse and repeat that process via the incrementing number and a fraudster can easily generate a large number of active cards to use or to sell via cybercriminal markets.
In fact, cybercriminals used a similar approach earlier this year with GiftGhostBot, which was detected performing automated attacks against nearly 1,000 customer websites in order to check millions of gift card numbers for active cards.
Attacks like GiftGhostBot have led some companies to disable their gift card balance-check websites — or to implement CAPTCHAs and other measures to combat automated attacks. Unfortunately, many gift cards remain vulnerable to simple attacks, and cybercriminals continue to shift their attention towards gift cards as traditional payment cards become more secure due to the adoption of EMV and other fraud-prevention tactics.
Many of those compromised gift cards are then bought, sold, and traded on dark web markets and other websites, a practice we’ll examine in the second part of this blog series.