Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Botnet Pummels Retail Websites in Hunt for Gift Card Balances

Malicious Bot Checked More Than 4 Million Gift Card Numbers Per Hour in Search of Active Cards With Balances

A recently discovered Internet bot is conducting sustained attacks against retailers and checking millions of gift card numbers to determine if any have balances, Distil Networks researchers warn.

Malicious Bot Checked More Than 4 Million Gift Card Numbers Per Hour in Search of Active Cards With Balances

A recently discovered Internet bot is conducting sustained attacks against retailers and checking millions of gift card numbers to determine if any have balances, Distil Networks researchers warn.

Dubbed GiftGhostBot, the sophisticated bot was detected on February 26, 2017 and has managed to hit nearly 1,000 websites to date, the researchers say. The bot is still active, and targeting retailers around the world at a rate of millions of requests per hour.

“The websites of retailers all over the globe are targets. Gift cards are typically associated with a particular company, and can be used to purchase any item sold by that company. Any website with gift card processing capability, including checking your gift card balance or replenishing funds, is a potential target,” the security firm reveals.

The bot uses card cracking or token cracking attacks where automation is leveraged to test a list of potential account numbers and request the balance. When such a balance is provided, the attacker knows that the account number exists and contains funds.

This information allows bot operators to use the account number to purchase goods, though they could also sell those accounts on the dark web. Stealing money from gift cards is typically anonymous and untraceable, allowing cybercriminals to abuse the method with little fear of being caught.

GiftGhostBot was observed reaching peaks of over 4 million requests per hour on some retailer websites, hitting nearly ten times the normal level of traffic on those domains. In addition to stealing user’s funds, the bot can cause slowdowns or site downtime.

Distil Networks classifies GiftGhostBot as an Advanced Persistent Bot (APB), because it has multiple functions. The bot rotates user-agent strings to hide its identity and is heavily distributed across various hosting providers and data centers worldwide. Moreover, it can mimic a normal browser, courtesy of high sophistication when executing JavaScript, and shows increased flexibility in the use of different attack techniques to avoid being blocked.

Advertisement. Scroll to continue reading.

Distil Networks found five main profiles used in the attack, with the first three used at the beginning of the campaign, and the other two (where the bot identified itself as iPhone and Android user agents) developed after the previous ones were blocked. GiftGhostBot appears well-funded, considering that the cost of the attack increased significantly with the new profiles, as each “request would cost at least five times more by using mobile ISPs,” the researcher say.

“We detected on average 6,400 unique fingerprints per hour. Because the device fingerprint is more accurate than an IP address and user agent you see the average number of user agents detected were higher at 6,500 per hour, and that IP addresses were detected at an average rate of 29,000 per hour. All of these numbers indicate that the bot was distributing itself widely and trying to hide,” Distil’s researchers said.

While retailers shouldn’t be blamed for these attacks, they can thwart them by implementing a CAPTCHA on the Check-your-Gift-Card-Balance pages, by keeping an eye on their traffic to determine if they are targeted, and by limiting the number of requests on gift card pages.

Consumers are advised to always keep track of their balance and to not leave money unused. However, because some retailers web sites are under sustained attack from this bot, users might experience issues when attempting to check the balance on their gift cards. For example, websites might seem unable to provide the requested information, Distil Networks explains.

Related: Gift Cards Preferred Payment Method in Japanese Underground

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.