gift cards – SurfWatch Labs, Inc.

Stolen Gift Cards on Marketplaces

Compromised gift cards are often sold on cybercriminal markets; however, legitimate gift card marketplaces have grown rapidly over the past few years and criminals have begun leveraging them to sell stolen gift cards or to aid in laundering money.

Marketplaces like Raise often provide customers links to help check gift card balances before listing. However, researchers have shown that balance-checking websites can be exploited by cybercriminals to determine active cards if the websites do not implement proper security measures.

Legitimate marketplaces like Raise provide a place for users to buy and sell unused gift cards.

As Raise has grown in popularity, customers have reported multiple instances of gift cards having their balances completely or partially gone by the time buyers used them, as well as instances of tens of thousands of gift cards being used to launder stolen credit card money through the site. Those issues may have helped push the company to expand its money-back guarantee on gift cards last year from 100 days to 365 days in order to help assuage some of the concerns users had about buying potentially compromised cards.

Stolen Gift Cards on the Dark Web

The dark web is in a more fluid state heading into this holiday season than it was in 2016, and that’s largely due to the law enforcement takedown of two of the top three most popular markets, AlphaBay and Hansa Market, this past summer. However, finding gift cards for sale on various smaller marketplaces is still relatively easy.

Gift cards for a variety of restaurants, retailers, and other organizations are frequently posted for sale on Dark Web markets.

Over the past few months, SurfWatch Labs has observed a variety of gift cards for sale for popular organizations on cybercriminal markets. SurfWatch Labs has not purchased the cards or verified the legitimacy of the postings, but they include:

gift cards for popular chains such as Whole Foods ($100 for $35), Hooters ($50 for $10), and Starbucks ($10-$20 for $3);

various gift cards that may be partially used, such as a $17 Applebee’s gift card for $6.80, and a $32 Five Guys gift card for $12.80;

and sellers claiming to have gift cards for dozens of other restaurants, specialty retailers, hospitality organizations, entertainment venues, and more at similarly discounted prices.

It’s unclear how the numerous gift cards for sale were stolen — or what percentage are actually legitimate — but a quick search of a dozen random companies listed found that nearly all had websites where users could check their balances. And of those, only a few required CAPTCHAs, which researchers have suggested be implemented to help slow down automated attacks.

Other common gift card fraud prevention tactics include making sure that unactivated gift cards are not easily accessible and that their numbers are hidden behind scratch-off coverings, that organizations don’t use sequential numbering or other easily recognizable patterns with their gift cards, and that consumers who have gift cards use them in a reasonable time so the window for potential attacks is shortened. In addition, some stores have implemented limits on the amount of gift cards that can be purchased at once, have begun requiring photo ID for high-dollar purchases, and are attempting to warn buyers of potential scams related to gift cards.

However, until those increased protections become more widespread, we will likely once again see a rise in gift cards being leveraged for fraud and other illicit purposes this holiday season.

Two months ago, Fan Xia, a 29-year-old research assistant from UW-Milwaukee’s engineering department, was arrested for laundering more than $300,000 via an international scheme involving gift cards. According to the criminal complaint, Xia would receive gift card information from scammers in India, use that information to buy iTunes and Google Play gift cards, and then scratch off the codes and forward the information to another set of individuals in China.

The case is hardly unusual — fraud leveraging gift cards has become more the norm than the exception — but it does highlight several ways in which criminals typically exploit gift cards:

Police were tipped off to the fraud ring after a Wisconsin man reported that a caller impersonating the IRS requested he pay via gift cards $4,987 in back taxes, which is the exact type of gift card scam the IRS has been warning about the past couple years.
The man fell for the scam and bought three Target gift cards, two worth the maximum $2,000 and one worth $987. Those cards were then used to launder the scammed money via numerous iTunes and Google Play gift cards allegedly purchased by Xia. Police said Xia had taken pictures of the scratched-off codes of approximately 6,100 such cards over an 11-month period, totalling $305,000.
The victim who was duped by the IRS impersonator grew suspicious and tried to cancel the cards after providing the scammers the information, but the active gift cards were quickly used by Xia, who was allegedly buying up to $3,000 worth gift cards a day with the data from India.

2017-10-25_CashOut — Malicious actors use gift cards for a variety of purposes, including cashing out stolen credit cards. This guide on a Dark Web market claims to walk fraudsters through 10 steps of that process.

As the holiday season grows closer, there will likely be renewed warnings for both consumers and organizations about similar scams. The gift card market has grown to become a $140 billion dollar industry, and the average consumer will purchase at least two gift cards during the holidays. However, those gift cards remain relatively insecure compared to traditional payment cards, and cybercriminals will likely continue to exploit those weaknesses as consumer activity ramps up in the coming months.

How Cybercriminals Exploit Gift Cards

To use money on a gift card, fraudsters need the card code or number and, in some instances, the associated PIN. In the case involving Xia, he is alleged to have bought and scratched off the iTunes and Google Play codes himself to help launder money originally stolen from phone scam victims. However, there are several methods in which fraudsters can gain access to gift card codes without paying for them.

2017-10-25_GiftCards — Walmart gift cards have a 16-digit card number and PIN, whereas iTunes gift cards have a 16-digit alphanumeric code.

The most straightforward method for fraudsters to get codes off of physical gift cards is by simply grabbing a stack of inactive cards, which tend to be easily accessible at most stores. If the cards use magnetic strips, the card data may be stolen and cloned with a magnetic stripe reader/writer. If the cards use redeemable codes, fraudsters can scratch off the codes, copy them, and then replace the scratch-off label. Some companies don’t even bother hiding gift card numbers behind a scratch-off since they’re not usable until purchased, which makes it even easier for fraudsters to steal the data.

The fraudsters then return the cards for legitimate consumers to purchase — without knowing that the card numbers or codes they are buying are already in the possession of malicious actors.

2017-10-25_ScratchOffLabels — Replacement scratch-off stickers, magnetic stripe readers, and other legitimate tools that can be repurposed for fraud are easily purchased on sites such as Amazon and eBay.

That method, though simple, is pretty difficult to scale. Larger fraud operations tend to leverage technology, along with weaknesses in gift card security, in order to automate the compromise of gift cards.

Professional pen-tester Will Caput recently gave a presentation on how he was able to exploit the patterns of various organizations’ gift cards in order to brute force his way to discovering active card numbers. For example, Caput noticed that the gift card numbers one Mexican restaurant used were identical except for one incrementing number and the randomized last four digits. He told Wired that he could target the website used to check gift card balances with the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the last four random digits in about 10 minutes. Rinse and repeat that process via the incrementing number and a fraudster can easily generate a large number of active cards to use or to sell via cybercriminal markets.

In fact, cybercriminals used a similar approach earlier this year with GiftGhostBot, which was detected performing automated attacks against nearly 1,000 customer websites in order to check millions of gift card numbers for active cards.

Attacks like GiftGhostBot have led some companies to disable their gift card balance-check websites — or to implement CAPTCHAs and other measures to combat automated attacks. Unfortunately, many gift cards remain vulnerable to simple attacks, and cybercriminals continue to shift their attention towards gift cards as traditional payment cards become more secure due to the adoption of EMV and other fraud-prevention tactics.

Many of those compromised gift cards are then bought, sold, and traded on dark web markets and other websites, a practice we’ll examine in the second part of this blog series.