Botnet Pummels Retail Websites in Hunt for Gift Card Balances

Malicious Bot Checked More Than 4 Million Gift Card Numbers Per Hour in Search of Active Cards With Balances

A recently discovered Internet bot is conducting sustained attacks against retailers and checking millions of gift card numbers to determine if any have balances, Distil Networks researchers warn.

Dubbed GiftGhostBot, the sophisticated bot was detected on February 26, 2017 and has managed to hit nearly 1,000 websites to date, the researchers say. The bot is still active, and targeting retailers around the world at a rate of millions of requests per hour.

“The websites of retailers all over the globe are targets. Gift cards are typically associated with a particular company, and can be used to purchase any item sold by that company. Any website with gift card processing capability, including checking your gift card balance or replenishing funds, is a potential target,” the security firm reveals.

The bot uses card cracking or token cracking attacks where automation is leveraged to test a list of potential account numbers and request the balance. When such a balance is provided, the attacker knows that the account number exists and contains funds.

This information allows bot operators to use the account number to purchase goods, though they could also sell those accounts on the dark web. Stealing money from gift cards is typically anonymous and untraceable, allowing cybercriminals to abuse the method with little fear of being caught.

GiftGhostBot was observed reaching peaks of over 4 million requests per hour on some retailer websites, hitting nearly ten times the normal level of traffic on those domains. In addition to stealing user’s funds, the bot can cause slowdowns or site downtime.

Distil Networks classifies GiftGhostBot as an Advanced Persistent Bot (APB), because it has multiple functions. The bot rotates user-agent strings to hide its identity and is heavily distributed across various hosting providers and data centers worldwide. Moreover, it can mimic a normal browser, courtesy of high sophistication when executing JavaScript, and shows increased flexibility in the use of different attack techniques to avoid being blocked.

Distil Networks found five main profiles used in the attack, with the first three used at the beginning of the campaign, and the other two (where the bot identified itself as iPhone and Android user agents) developed after the previous ones were blocked. GiftGhostBot appears well-funded, considering that the cost of the attack increased significantly with the new profiles, as each “request would cost at least five times more by using mobile ISPs,” the researcher say.

“We detected on average 6,400 unique fingerprints per hour. Because the device fingerprint is more accurate than an IP address and user agent you see the average number of user agents detected were higher at 6,500 per hour, and that IP addresses were detected at an average rate of 29,000 per hour. All of these numbers indicate that the bot was distributing itself widely and trying to hide,” Distil's researchers said.

While retailers shouldn’t be blamed for these attacks, they can thwart them by implementing a CAPTCHA on the Check-your-Gift-Card-Balance pages, by keeping an eye on their traffic to determine if they are targeted, and by limiting the number of requests on gift card pages.

Consumers are advised to always keep track of their balance and to not leave money unused. However, because some retailers web sites are under sustained attack from this bot, users might experience issues when attempting to check the balance on their gift cards. For example, websites might seem unable to provide the requested information, Distil Networks explains.

Related: Gift Cards Preferred Payment Method in Japanese Underground

view counter
image
Ionut Arghire is an international correspondent for SecurityWeek.
Previous Columns by Ionut Arghire:
Tags:
Original author: Ionut Arghire