820% jump in e-gift card bot attacks since COVID-19 lockdowns began

The biggest victims were online food-delivery services and retailers, says cybersecurity firm PerimeterX.


Image: Trustwave

Cybercriminals have long used e-gift card scams to bilk millions out of unsuspecting victims, but the attacks are usually deployed around the holidays when people are rushing to load up on gifts for loved ones. 

Attackers are moving well beyond the holiday season and are now leveraging the coronavirus pandemic and subsequent lockdown to push these e-gift card scams at a rate unseen before. 

Researchers with cybersecurity firm PerimeterX have released new data showing an 820% increase in e-gift card scams since March, when most people began staying home to protect themselves from COVID-19.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

“E-gift card attacks usually target well-known brands because their e-gift cards are ‘hot goods’ in the secondary market. Amongst the brands protected by PerimeterX, we saw e-gift card attacks stay fairly steady in the e-commerce vertical, however, since the COVID-19 lockdown started we saw a skyrocketing increase of 820% in such attacks, mainly in online food delivery services,” PerimeterX’s Yossi Barkshtein wrote in a blog this week. 

“In one example, a sophisticated e-gift card attack on a top-five US retailer lasted around two months—a very long time for a massive bot attack. During this time, tens of thousands of requests to e-gift card pages were malicious.”

In a previous post, Barkshtein wrote that the digital gift card business will be worth more than $381 billion in 2020, and experts say it will grow to nearly $600 billion by 2026. He cites numbers from TotalRetail that show almost 20% of all holiday gift card sales in 2019 came from digital gift cards. 

Most e-gift card scams take two forms: Card cracking and account takeover. Barkshtein explained that account takeover-based attacks are far more common and generally more successful than cracking attacks. Major companies like Amazon, Apple, Google, Nike, Walmart, Target, Wish, Starbucks, McDonalds, Adidas, and Nordstrom all allow their customers to give digital gift cards and now have to spend millions investigating incidents related to theft with the cards. 

SEE: Credential stuffing attacks on global media companies are spiking (TechRepublic)

TechRepublic previously reported that gift card scams have become increasingly common for cybercriminals to use because they do not require bank accounts or traceable fund transfers and can typically be sold or traded online for about 70% of their initial value.

Cybercriminals generally buy batches of stolen account usernames and passwords before leveraging them using a distributed attack through multiple proxies or IP addresses. Barkshtein noted that many of the people behind these attacks are very experienced, and a significant number of tools are available widely both on the internet and dark web.

Once they have confirmed the stolen account works and isn’t blocked by a retailer or website, cybercriminals can then start to make money.

“Abusing the account for e-gift cards is done either by using an existing balance or by buying e-gift cards using the account information if possible,” Barkshtein wrote. 

SEE: Twitter accounts of Elon Musk, Bill Gates and others hijacked to promote crypto scam (TechRepublic)

“The monetization can be done in three main ways: Use the stolen gift card balance for purchases, use the account balance to buy e-gift cards and sell them on secondary markets and convert e-gift cards into cash on dedicated platforms such as cardcash.com.”

He shared graphs showing various spikes in this illegal activity throughout the past few months, highlighting how some attacks go on for months while others are fairly brief. 

PerimeterX pulled data from its own customers to show the variety of attacks. For one top-five US retailer client, the bot attack lasted for two months, with thousands of malicious e-gift card page requests. 

For a top travel brand, PerimeterX researchers found that total traffic to the e-gift card page had reached 99% due to spikes in malicious traffic. The same goes for another food delivery company the firm protects, and the study includes charts showing that along with the increased demand due to the pandemic, there was an increase in the number and breadth of attacks. 

SEE: Ransomware accounts for a third of all cyberattacks against organizations (TechRepublic)

“E-gift card bot attacks are often hard to detect. Most of these attacks are conducted using botnets that are highly distributed and use multiple IP addresses, multiple ASNs and many different devices. The result is attacks that mimic human behavior and are complicated to detect and block,” added Barkshtein.

He went deeper into the attack on the top-five retailer, showing how the cybercriminals used thousands of IP addresses to “manipulate and bypass the bot protection,” something Barkshtein said was indicative of experienced and sophisticated hackers.

The blog included a number of steps websites or stores can take to protect themselves from these damaging attacks, which are increasingly proving to be costly for businesses. Companies should create complicated e-gift card numbers so that they cannot be emulated or guessed. 

“To prevent cybercriminals from stealing e-gift cards and emptying balances, make it harder for them. Simple or similar combinations of digits and characters are easily guessed by basic algorithms used for card cracking. If you choose to work with a third-party vendor for producing e-gift cards, always conduct proper due diligence, especially regarding the vendor’s information and data security,” Barkshtein noted.

“Second, with bots improving constantly and mimicking user behavior, web and mobile application owners should pay more attention to advanced automated threats. That includes closely monitoring application traffic and specifically traffic patterns on e-gift card related pages.”