E-Gift Card Attacks Growing More Frequent, Sophisticated

Credit card and laptop.

Consumers and online businesses enjoy the benefits of e-gift cards, but the rising threat of bot attacks on e-gift cards, especially during holidays, casts a shadow over this lucrative payment channel. E-gift card theft hurts customer trust, impacts revenue and imposes unnecessary costs on the business. When an attack happens, security, risk and operations teams can spend considerable energy, time and money remediating security issues. Business and support teams can spend weeks contacting impacted customers and arranging to make them whole, and marketing and PR teams will need to mount efforts to counter bad press and protect the brand.

Hackers love online gift cards and gift card balances because they skirt the deeper scrutiny of credit card transactions and account owners are less likely to notice changes to their gift card balances. This makes selling validated accounts with gift cards, or draining the gift card accounts by, ironically, sending an unauthorized gift card, easy money. Four ways that hackers can cash in are:

  • Use the stolen gift card balance for purchases
  • Use the account balance to buy e-gift cards and sell them on secondary markets
  • Convert e-gift cards into cash on dedicated platforms such as cardcash.com
  • Sell a validated password / username pair for up to $45 on the Dark Web

We estimate the market for stolen gift cards and theft using unauthorized digital gift cards is well into the billions of dollars each year. Sales of stolen gift cards is now an open practice, easy to find with search engines like Google. There are even organized marketplaces on the Dark Web with websites that look like legitimate markets, where sellers can unload stolen gift cards and buyers can pick up stolen gift cards for big discounts from the card’s face value. Criminals often request payment in cryptocurrencies like BitCoin or Ethereum that are difficult to trace.

As more business has moved online with the great pandemic digital transformation, attackers have shown increasing sophistication in e-gift card fraud attempts. Today we commonly find well-organized technology stacks behind these attacks, making e-gift card bot attacks hard to detect. Most attacks are delivered via massive botnets designed to avoid detection. The botnets are highly distributed: they use multiple IP addresses, multiple ASNs and many different devices.

The bots themselves are designed to behave like humans, solving CAPTCHAs and moving around a website or accessing an API in what to the naked eye might look like a very normal behavior pattern. As a result, the attacks are hard to distinguish from human behavior and security teams that block bots too aggressively or cannot detect the subtle behavioral differences will by mistake block normal customers.

Ways to Block E-Gift Card Holiday Attacks

Putting in place proactive steps to block e-gift card attacks is no longer something businesses think about once a year to prepare for Cyber Monday – because now, every holiday is open season for e-gift card attacks.

Here are four key considerations in blocking these attacks.

  1. Randomly generate e-gift card numbers to protect against emulation and guesswork. Simple combinations of numbers and digits are easy to guess. Hackers now have tools that can do this quickly.
  2. Especially around holidays, closely monitor application traffic patterns to e-gift card related pages. Even small increases in traffic above seasonal trends many indicate an attack is underway.
  3. Adopt newer types of challenges to replace CAPTCHA that are harder for bots to solve. These challenges are actually simpler for humans and less likely to block conversions. An example is asking the human to roll a ball with an image inside of it so the image faces up.
  4. Implement machine learning systems that can identify granular behavior patterns and more accurately distinguish bots from real human visitors. The machine learning should be an out-of-band service that is easy to deploy (via JavaScript) but does not impact the user experience.

More Recent Blog Posts