GiftGhostBot – the malicious bot attempting to compromise gift cards across 1,000 websites

Check your gift card balances, and document them!

David bisson
David Bisson
@
@DMBisson

GiftGhostBot - the malicious bot attempting to compromise gift cards across 1,000 websites

A malicious bot is seeking to compromise gift cards purchased and activated by consumers across nearly 1,000 websites.

Researchers at Distil Networks first detected the bot, which they’ve nicknamed “GiftGhostBot”, on 26 February 2017. As part of the discovery, the San Francisco-based security firm detected a huge spike in activity targeting many of the largest brands in the world. Some of these websites saw over 4 million requests per hour on their gift card pages alone.

So what is GiftGhostBot trying to do?

Sign up to our free newsletter.
Security news, advice, and tips.

Distil security analyst Anna Westelius answers that question in a blog post:

“It is a card cracking or token cracking attack. This means that fraudsters are using automation to test a rolling list of potential account numbers and requesting the balance. If the balance is provided, the bot operator knows that the account number exists and contains funds. Armed with that information, the account number can be used to purchase goods, or sold on the darkweb for a fee. For a cyber thief, the beauty of stealing money from gift cards is that it is typically anonymous and untraceable once stolen.”

No wonder some ransomware developers demand ransom payments in the form of gift cards!

Though Distil first detected the bot on 26 February, the attack didn’t peak until 8 March. It then dropped off again on 13 March.

Giftghostbot stats

During that period, researchers detected an average of 6,400 unique fingerprints and 29,000 IP addresses per hour. GiftGhostBot rotated between these agents, host providers, and data centers in order to avoid detection and to persist even if sysadmins blocked one of its techniques.

The malicious bot also employed a minimum of five different profiles. Profiles 4 and 5, by which GiftGhostBot disguised itself as Android and iOS user agents, emerged only after Distil began blocking Profiles 1-3. By switching to mobile ISPs, the attackers behind the bot increased the cost of each of their attacks by five times. But they didn’t even blink at the change, which suggests this campaign is well-funded.

Got it. This is a bad bot. So what are online websites doing in response to these attacks?

Some have disabled their gift card pages entirely. Others have added a phone number to their pages that consumers can use to check their gift card balances. In addition to these measures, retailers should use CAPTCHAs, rate limiting on their gift card pages, and review their web traffic to see if they’ve been targeted. These measures won’t stop an evolving threat like GiftGhostBot from attacking them, but it will slow it down.

Concurrently, consumers should verify their gift card balances and take a screenshot of those balances just in case GiftGhostBot drains their cards. In the event something happens, they should speak with the retailer about issuing a refund. Any problems in receiving a refund should be reported to the FTC.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.