GiftGhostBot Tries to Steal 1.7 Million Gift Cards Per Hour

Gift cards are under attack by hackers, and consumers are being advised to check their balances.

Luxury retailers, supermarkets, and major coffee distributors with gift card processing capabilities are all the target of a new widespread cybersecurity attack, according to Distil Networks, which has tracked activity on nearly 1,000 customer websites.

Hackers are using a bot dubbed GiftGhostBot, to test a rolling list of potential gift card account numbers at a rate of 1.7 million gift card numbers per hour. It is believed that once they correctly identify gift card numbers with this brute force-like approach, they can resell the account number on the Dark Web or use them to purchase goods.

Beginning on Feb. 26, the Distil security analyst team noticed increased bot activity on customer websites with gift card processing capabilities. GiftGhostBot is being distributed across worldwide hosting providers, mobile ISPs and data centers, executing JavaScript to avoid detection. On one customer website, the analyst team recorded 4 million bad bot requests per hour—nearly 10 times their normal level of traffic.

“Like most sophisticated bot attacks, GiftGhostBot operators are moving quickly to evade detection, and any retailer that offers gift cards could be under attack at this very moment,” said Rami Essaid, CEO of Distil Networks. “While it is important to understand that retailers are not exposing consumers’ personal information, consumers should remain vigilant. Check gift card balances, contact retailers and ask for more information. In order to prevent resources from being drained, individuals and companies must work together to prevent further damage.”

GiftGhostBot is also an advanced persistent bot, or APB, Distil said, as evidenced by the fact that it is lying about its identity by rotating user-agent strings; its significant distribution; its ability to mimic a normal browser; and its persistence techniques. If it is blocked using one technique, it adapts and returns using a different attack technique.

The impact could be wide-ranging.

“Consumers may suffer from a loss of faith in gift cards and make an irate call to the company that issued the gift card if they see their account balance disappear,” the firm noted in its analysis. “Assuming the gift card is not FDIC protected or registered, if the issuing company doesn’t replenish the amount, the consumer relationship is damaged.”

It added, “Businesses have to successfully handle these dissatisfied customer calls asking for a refund to maintain their future relationship. But…requests into the website could reach millions each day and potentially inundate the servers leading to slowdowns or downtime; it amounts to an application denial of service.”

What’s Hot on Infosecurity Magazine?