The GiftGhostBot, tests potential account numbers, requesting each balance. When its successful, hackers can resell this information on the dark web or use it to purchase goods.

Anna Westelius, director of engineering, professional services, Distil Networks

Anna Westelius, director of engineering, professional services, Distil Networks

Since its invention by Blockbuster in 1994, the gift card has grown into a $100 billion industry. Today, 93 percent of US consumers buy or receive a gift card annually to spend on almost anything on the market, according to GiftCards.com.

While most familiarly a gift item, prepaid cards are used by companies for employee incentives and by the government to administer benefits and tax refunds. Millions of people also use prepaid cards as an alternative to a traditional bank account.

Thus, the target is rich and the stakes high as gift cards become the latest victim of bad bots—the automated programs used by hackers, fraudsters and competitors to conduct a variety of nefarious activities like price and product data scraping, click fraud and account hijacking.

Until now, retailers haven’t needed special security around gift cards. But they certainly do now.

This illustrates larger concerns with the security around online systems—a point applicable to organizations in all sectors as well as the general public. As more types of personal information such as health, financial and other data is being digitized and kept online, we are entering a reality where it is also subject to potential hacking.

advertisement

An attack on gift cards is the latest of many more we will certainly see in the future targeting personal collateral and data. It is imperative retailers and other organizations are proactive in utilizing best practices to lock down systems that have moved online to prevent attacks before they happen.

An Emerging Threat to Gift Card Balances

Detected in February by Distil Networks, GiftGhostBot is a sophisticated global bot attack targeting retail websites to defraud consumers of the money loaded on gift cards. Targets include any vendor with online gift card processing—from luxury retailers, to supermarkets, to major coffee distributors.

Using GiftGhostBot, fraudsters leverage malicious automation to test a rolling list of potential account numbers, requesting each balance. If they are successful, they can resell this information on the dark web or use them to purchase goods. This attack has occurred persistently on nearly 1,000 global customer websites, and many other retailers have suffered intermittent problems.

advertisement

We cannot publicly disclose information about the fraud that occurred, however, several big retailers disabled their online gift card balance checking altogether while GiftGhostBot was at large. Here is one such page:

Distil check balance image

Until now, retailers haven’t needed special security around gift cards. But they certainly do now. GiftGhostBot attacks not only rob gift card holders but could erode consumer faith in the cards and damage relations with the issuing company.

Advice to Retailers

Retailers should take immediate steps to mitigate the risk of GiftGhostBot:

advertisement
  1. Examine web traffic

Sophisticated bad bots constantly rotate their IP address in order to hide within normal traffic. To protect gift cards they’ve issued, retailers should cross-reference their web logs with these IP addresses known to have been involved in attacks between February 26 and March 15:

Distil malicious IP addresses
  1. Implement safeguards for balance-checking

The more safeguards between a physical card and how it interacts online, the better. This may include setting up a user account or login before checking a balance to provide another layer of security.

Other ways retailers can help safeguard their websites is by including a CAPTCHA anywhere where a consumer can check a gift card balance. While this alone is not effective against the most sophisticated bots, it does prevent many bots. Additionally, retailers should set rate limits on requests to the check-your-balance page.

Note that these features can only delay an attack rather than completely prevent one. Sophisticated bad bot operators are constantly changing how they penetrate and if an organization is a target, they will come back. Only automated solutions are successful against automated attacks.

advertisement
  1. Adopt a new way of thinking

The emergence of GiftGhostBot signals the need for retailers to adopt new attitudes and methods around security. While a strong security posture is a must-have, relying on this alone is reactive. A proactive approach where retailers lean into preventive measures is the best way to combat GiftGhostBot along with new automated threats that will certainly arise in the future.

Retailers should look at bot mitigation solutions that help reduce gift card fraud and also help with other bot-related issues like preventing account takeovers, price scraping and credit card cracking (brute force attacks in which bots rapidly try different values for start date, expiry date and/or card security code until they find the right values). Such solutions offer a proactive approach to safeguard against the next malicious automated attack.

Distil Networks provides technology designed to protect websites against malicious bots, API abuse and fraud.

Favorite

advertisement