Can’t think of anything to buy for a special day, and a gift card looks like an excellent last-minute solution? Think twice. Due to widespread gift card scams, you might easily get bilked.
An engineer from the cybersecurity company NortonLifeLock discovered that the Costco gift cards he owned showed $0 balances after purchase despite never having used them. So he turned to his colleagues at Norton Labs - a security research arm within NortonLifeLock - and they were able to discover a hacking campaign leveraging brute force attacks to steal gift card numbers, then resell them to make quick cash.
After some quick web search, researchers found that gift cards for Pizza Nova and many other brands were being sold on some online websites for as much as 85% off.
“It is a clear sign of illegal sale,” Daniel Kats, Senior Principal Researcher, said. In addition, the values of the gift cards were not round numbers. For example, they found one with a balance of $6.25. It is typical of gift cards that have previously been used.
“The evidence pointed to attackers stealing gift card numbers then reselling them to make a quick profit,” Kats explained.
How the scam works
After a thorough investigation, researchers found that many of the affected gift cards appeared to come from one gift card supplier - GiveX.
“We suspected that attackers might be using a website designed to check gift card balances to verify and steal gift card numbers,” Kats said.
The website asks for two pieces of information: the gift card number and the gift card PIN. Researchers bought a few gift cards to understand the structure of this data better. They purchased a Pizza Nova gift card. It had a 19-digit number and a 4-digit PIN, often hidden before the purchase. From the first glance, it appeared to be quite a secure system.
Here’s the problem: the gift card number is not random but has a discoverable structure, making it easy to guess.
“All gift cards for the same brand — in this case Pizza Nova— start with the same prefix. In our example, it’s 6035710419344. That means only six digits of the gift card change between gift cards. Therefore, an attacker may use the gift card balance portal to check whether a gift card number is valid by entering a random gift card number and PIN and solving the CAPTCHA. In this case, the search space is only 1010, with many possible solutions. This is a small search space for any modern computer. In addition, this page uses an older, insecure version of CAPTCHA, which simple off-the-shelf tools can solve,” Kats explained.
To test this theory, researchers wrote a simple program to try random gift card numbers for Pizza Nova, coupled with a deep learning model to solve this version of the CAPTCHA (97.66% accuracy).
“We found the website uses a weak form of rate-limiting based on IP address, but this was easily circumvented using the Tor anonymization network. Using this method, we were able to find numerous active Pizza Nova gift cards with a non-zero balance that an attacker might steal and resell,” the researcher explained.
They also discovered that attackers might perform some legwork to make this attack more effective. Since gift cards are displayed in many stores, attackers may be capturing gift card numbers, which are about to be sold (see below). In that case, an attacker only needs to guess the PIN using the website mentioned above.
“Additionally, we found that card numbers are consecutive in stores, so an attacker can guess, based on the card numbers available on the shelf, which card numbers have recently been sold,” Kats stated.
The researchers contacted the affected parties with suggestions on how to fix these problems. The possible solutions include a longer PIN and gift card number, the requirement to log in before checking the balance, making sure stores do not carry continuous card numbers, and using a stronger CAPTCHA.
Why would you buy a gift card from a shady source?
According to David Zhuang, an engineer on the Norton Labs team, it is difficult to trace down the criminals themselves as they use tactics to really stay hidden, such as using cryptocurrency, payment gateway registered under stolen identity, IM tools with E2E encryption, VPN plus anonymous proxy, and bullet-proof hosting.
It is not clear how many customers were impacted but, looking at the website stock level, it is hundreds if not thousands of customers.
“It’s very hard for a victim to get their money back once a gift card is stolen. One has to prove that it’s not themselves using the card, and the card number+PIN has never been shared, which is essentially impossible. Credit card chargeback won’t be very helpful in this case since gift cards are cash-like products, like traveler’s checks, which normally exclude those transactions from protection,” Zhuang told CyberNews via email.
From the number of advertisements he sees, there’s a high demand for slightly cheaper gift cards. Why are consumers buying them from shady channels? Well, maybe a buyer cannot make payment via supported channels, there’s no channel available, buyer wants to save money, or maybe is involved in money laundering. It also might be that a buyer can’t distinguish official channels from third-party ones.
“In either case it’s hard for the buyer to understand how the card was originally acquired (legitimate unused card, legitimate used card selling remaining balance, stolen card, carded card [purchased with stolen credit card/PayPal, etc.]). Unless the card is sold at extreme discount (>50% off), it’s not even possible to tell the difference from the price. Or, the buyer may have a clear understanding but purchasing anyway if their intent has always been to resell,” Zhuang said.
Researchers suggested for consumers not to buy pre-activated cards, check the gift balance, and look for longer PINs when purchasing a card.
Last year, CyberNews ran a similar story. It showed that Tesco Clubcard’s partner - Hotels.com - employed an easily-faked code that allowed cheaters to get up to £750 off hotel rooms. The discount code was composed of 13-character codes that used the same first five characters, plus three numbers consisting of the discount amount (200, 500, or 750) and then a colon, leaving only the four last characters to be guessed. You can read the full story here.
More from CyberNews:
Subscribe to our newsletter