GiftGhostBot Steals Gift Card Balances From Consumers' Accounts


A new threat is on the prowl, which compromises the gift card balance of customers. The bot, dubbed GiftGhostBot, attempts to swindle consumers of the cash which is loaded on their gift cards.

The bot is being deployed by cyberattackers to break into and drain online gift card accounts of their balance. The GiftGhostBot affects gift cards issued by a slew of retailers all over the world. The attacks from the bot are affecting nearly 1,000 retail websites according to reports.

Distil Networks, a security firm, identified the new bot on Feb.26. The GiftGhostBot clandestinely checks the millions of gift cards. It goes through this process to determine which gift cards have balances on them.

Customers who attempted to check their gift card balance online were routed to a message to contact the customer services via phone. This was done because most of the retail websites are currently under attack from this very persistent bot.

Victims Of GiftGhostBot

The bot primarily targets all retailer websites across the world. Generally, gift cards are linked to a specific company and any unit sold by that particular organization can be purchased with the card.

Any ecommerce website capable of processing a gift card, including refilling its funds, is a potential target of the GiftGhostBot.

"Like most sophisticated bot attacks, GiftGhostBot operators are moving quickly to evade detection, and any retailer that offers gift cards could be under attack at this very moment," said Rami Essaid, CEO of Distil Networks.

How Does GiftGhostBot Work?

GiftGhostBot uses a token cracking or card cracking attack to eke out accounts and the balance they contain. Using automation, the hackers test a continuous list of potential account numbers, along with the request to display the available balance.

If, by a stroke of chance, the balance is displayed to the fraudsters, the hacker immediately understands that the account is genuine and contains money. With the help of this data, the bot operator then uses the account number to buy goods. Alternately, the hacker can sell the account number to be peddled on the darkweb.

Such transactions are untraceable and anonymous, which enables the cyber thief to stay undetected.

GiftGhostBot: How Does It Affect Consumers And Retailers?

Any customer who is an unfortunate victim of the crime may see that their gift card has run out of funds. The bot is capable of running through a whopping 1.7 million accounts in just an hour!

Due to the disappearance of funds, consumers may hold the retailer responsible and register a complaint. If the gift card does not have FDIC protection, then the retailer will not refill the amount. In such a scenario, the consumer and retailer relationship gets damaged.

On the other hand, if a retailer is a victim of the cyber theft, there is little it can do to salvage the situation. Even if the retailer wants to issue a refund, the requests for the same on its website may touch millions in a day alone. This could lead to a possible serve outage, which means that even if the retailer wants to make amends, it will be rendered helpless.

What's The Solution For Retailers And Consumers?

According to Distil Networks, the bot attack peaked after March 8 and continued its rampant run till March 13. After this date, the bot has been reportedly lying low. Security analysts suggest that retailers implement certain best practices to avoid such threats.

"A best practice would be to include a CAPTCHA on the Check-your-Gift-Card-Balance page. While not effective against the most sophisticated bots, it prevents many bots," shared Anna Westelius, chief of Distil's Professional Services Security Analysts.

Consumers are advised to treat their gift card like it is money, as well as check its balance. It is advisable to take a screenshot of the gift card balance as evidence. Those affected and facing issues with retailer-issued gift cards can also contact the Federal Trade Commission in the United States.

ⓒ 2018 All rights reserved. Do not reproduce without permission.
Real Time Analytics