First spotted on February 26, GiftGhostBot is a spinoff of the common Carding and Card cracking schemes.
First spotted on February 26, GiftGhostBot is a spinoff of the common Carding and Card cracking schemes.

Distil Networks has come across a month-old gift card hacking scheme, named GiftGhostBot, that has cybercriminals using botnets to steal money from retailer-issued gift cards.

First spotted on February 26, GiftGhostBot is a spinoff of the common Carding and Card Cracking schemes. The difference: GiftGhostBot bots are used to check gift card account numbers and balances over the internet with the issuing retailer. When an account number is found to match a balance, that number is then recorded and either used to make a purchase or sold on the dark web. The other methods use different filtering processes to either brute force a card's account number or to discover if a credit card account number is vaild.

Distil Networks researcher Anna Westelius said GiftGhostBot is an advanced persistent bot (APB) capable of pinging a retailer or card issuer up to four million times per hour as it rattles through different gift card account number combinations. These attacks are effectively shutting down customer sites to the point where they can no longer automatically accept customer requests for a balance and are instead asking people to use the phone.

Westelius said more than 1,000 retail customer service websites to date have been struck with GiftGhostBot. Distil does not know how many consumers have been ripped off, but noted the potential for big profits for those conducting the attack.

"In theory, if you test one million gift card numbers during an hour on one website, and find that 1,000 (0.1%) have balances, and assuming the average balance on a gift card is $100, that is potentially $100,000 in fraud for one hour of work, on one website," a company spokesperson told SC Media. "The numbers are potentially staggering."

Blackhawk Network, an operator of e-commerce sites for gift card sales, said it has spotted a few scams similar to GiftGhostBot, but has not experienced any significant increase in compromised balances on cards nor heard from its partners about similar issues.

Because the attacks target gift cards specific to a retailer, there is a chance consumers may blame the merchant for their loss, and this would be a mistake.

“It is important to understand that they are not being breached into exposing personal information,” Westelius said. "The functionality to check a balance is on their website and the bot is using that business logic to find out the information."

She described GiftGhostBot as a very sophisticated tool capable of distributing itself over a wide swath of territory in order to hide with several features that confirm it's an APB.

“First, it is lying about its identity by rotating user-agent strings,” Westelius wrote. "Second, it is heavily distributed across various hosting providers and data centers all over the world. Third, it is technically sophisticated when it executes JavaScript, mimicking a normal browser. Finally, it is persistent in that if it is blocked using one technique it adapts and returns using a different attack technique."

Distil also reiterated that despite the distributed nature of the attacks these are not distributed denial of service attacks, but are designed to extract money. However, the very nature of the attack does mean it can, in some cases, overwhelm a company's servers.