Skip to content

Generating “grift” cards is free cash for cybercriminals

Shutterstock Images

How underground actors use automated tools to create valid gift card codes

According  to the FTC’s 2021 Consumer Protection Data Spotlight, gift cards are the most common payment method for scammers, leading to a reported $148 million stolen from consumers.

Gift cards appeal to threat actors because they can use them for four general purposes:

1. Use the stolen balance for personal purchases

2. Convert gift cards into cash on dedicated platforms

3. Sell the gift cardholder’s information (user name, password, serial number, PIN)

4. Use the account balance to buy gift cards and sell them on secondary markets

Threat actors can procure valid gift cards in several ways, such as scamming, phishing, and data breaches. However, in this article, we examine how underground actors illicitly create working gift cards using automated hacking tools called generators and checkers, which are widely available on the underground.

Retail
Threat intelligence solutions help you prevent, detect, and protect your most critical assets, your customers and your brand. Get advanced warnings.

Generators and checkers are widely available on underground forums, each targeting a specific brand. Our research shows that the most-mentioned targets of automated hacking tools are also popular consumer services: Amazon, Netflix, PayPal, Spotify, and Sony (see figure 1).

Figure 1: Companies most targeted by gift card hacking tools since the beginning of 2020

Tools & Methods

Let’s take a closer look at these tools. Generally, actors share them for free in underground forums and markets and design them to be simple to use. They often include tutorials, tips, and methods.

Gift Card Generators

Card generators are shared individually or as a component of a broader cracking package. They generate a unique gift card number that may contain preloaded funds. Even if a gift card isn’t yet activated, the moment it is, the threat actor possessing the card’s number will be the first to gain access to the gift card’s value.

A gift card generator can administer cards of a single retailer (see Figures 4 & 7) or several (Figures 2 & 3).  Each retail business is unique, with different numbers representing the card’s ID.

Figure 2: Gift card multi-platform generator
Figure 3: Multiple gift card generator
Figure 4: Steam wallet gift card generator

Actors often post Virustotal links of the shared tool (see figure 5). The card generator (figure 1) was detected and labeled as malicious by 44 security vendors, proving the tool's legitimacy and capabilities to threat actors.

Figure 5: Shared Virustotal link of a gift card generator

The quantity of gift card numbers that can be generated is essentially limitless. However, the challenge is to check and validate them to see which works.

Gift Card Checkers

Threat actors use gift card checkers for validating generated (or stolen) card numbers.While each retailer offers the ability to check gift card balances, it’s not feasible to do this manually by the thousands. Therefore, it is preferable to use an automated checker.

Gift card checkers are usually part of a package of carding tools available on the underground. Often, checkers can also be included with generators, so the entire process is completed in a single step (see figure 6).

Figure 6: Gift card checker combined with card generator
Figure 7: Amazon Gift card generator + checker package

Conclusion

Gift card generators and checkers are a problem for both retailers and consumers. These tools may generate cards worth thousands of dollars, siphoning money from consumers and businesses and impacting overall trust in gift cards.

Financial Services
Threat Intelligence for Financial Services - Minimize false-positives. Reduce response time by 75%. Detect and prevent credit card fraud.

Consumers should check their gift card balance regularly and report any suspected fraudulent activity to the relevant retailer.

Retailers and gift card issuers, meanwhile, should monitor the tools available on the underground so they can create countermeasures. They should use more complex codes to prevent generators from enumerating the numbers, and they should implement controls to detect and block checkers from validating a large quantity of codes. Furthermore, they should monitor their gift cards' internal traffic to detect unusual expenses, locations, multiple cards held by one customer, and other activities that indicate fraudulent activity.




Comments

Latest