Gift cards are great for both retailers and consumers. Retailers love the flexibility and profitability of gift cards, and consumers love how easy it is to buy, use, and receive gift cards. Clearly, gift cards aren’t going anywhere soon – the gift card market is slated to hit a market cap of nearly $700 billion by 2024.
And the growing popularity of gift cards has not escaped the attention of crafty criminals who are looking to take advantage of the vast numbers of gift cards that are bought, sold, and used each year. Billions of dollars are spent on gift cards every single year – and many of these gift cards are just as useful as cash. It’s no surprise that scammers, thieves, hackers, and other crooks are interested in the gift card market.
We’ve discussed several scams related to gift cards on our blog before, but criminals sometimes seem to be one step ahead. Since then, a new method of gift card thievery has been created – a program known as “GiftGhostBot”.
Using this program, hackers are able to “brute-force” their way through corporate security systems, and drain the gift card balances of customers – who may not even realize that an attack has happened.
In this article, we’ll take a look at the basics about GiftGhostBot, and discuss ways that both retailers and consumers can avoid being targeted by malicious hackers who are using this program to steal gift card funds.
The Basics About GiftGhostBot
The idea behind GiftGhostBot is fairly simple. In today’s connected world, almost all major retailers offer a way for legitimate customers to check the balances of their gift cards online.
If you head over to Target.com, for example, and you login to your account and enter a gift card number, you’ll be able to see whether or not that card is active, and you can see the balance that remains on a particular, activated card.
This is, of course, very valuable for consumers. When we get a gift card – or retrieve an old gift card and want to know how much is on it – it’s very convenient to be able to do so online.
However, this online gift card balance checking process is now being used against consumers, by hackers who are utilizing GiftGhostBot.
Essentially, GiftGhostBot allows hackers to “brute-force” legitimate gift card account numbers by checking millions of numbers at once.
“Brute-force” attacks are very common in the world of hacking and cybersecurity, and in the past they have usually been used to guess passwords for email addresses, bank accounts, and other important credentials.
“Brute-force” refers to the method by which the program “guesses” the password or other important information. Hundreds of thousands of login attempts are tried with randomized strings of numbers – and, given enough time, these algorithms will be able to successfully “guess” the correct credential.
This is how GiftGhostBot finds legitimate gift card numbers. The malicious application injects itself into customer-facing corporate websites, and begins attempting to check the balance of untold thousands of gift card numbers – at a rate of nearly 1.7 million numbers per hour.
When a gift card number comes back as “positive” – it has been activated and has a value associated with it – this number is stored by the program. Gift cards with a “0” balance or that have not been activated are ignored.
The ratio of “valid” to “invalid” gift cards is quite high – because the numbers checked by GiftGhostBot are random, there is a very high percentage of useless data returned by the program. However, because it can check so many gift card balances so quickly, hackers are able to quickly get their hands on hundreds – if not thousands – of valid gift card numbers.
These hackers must move fairly quickly, as they will generally only get one chance to attack a particular retailer. The massive spikes in web traffic don’t go unnoticed by IT security teams, so these attacks are often carried out in the middle of the night, so that there’s a smaller chance of retailers being able to respond in a timely manner.
Once GiftGhostBot has logged the activated gift card balances, hackers can resell these numbers on the “dark web” using anonymizing software like the TOR Onion browser, or they can redeem them online or in-person for merchandise that they can resell, thereby making a profit.
The potential for profit is vast. Consider an attack that checks 1 million gift cards in an hour. Almost all of these will be invalid – but if only 0.1% of all gift cards numbers checked have a valid average value of around $50, the fraudster could make stand to make $50,000 in one hour. That’s a big number – and one that can’t be ignored by retailers.
The number of attacks using this new software program has been massive – Distil Networks, a San Francisco-based cybersecurity company, estimates that more than 1,000 companies have already been targeted by GiftGhostBot in the month of February alone.
Many retailers are aware of this problem, and have begun implementing robust security measures to fight back against the hackers who are using this program to drain the balances of legitimate customers.
However, many consumers are still unaware of the threat posed by GiftGhostBot and other similar, brute-force programs. Let’s take a look at how retailers are fighting back against data breaches – and how everyday consumers can protect themselves from losing their gift card balances.
How Retailers Can Fight Back Against Brute Force Data Breaches
The growing threat of gift card “brute force” attacks has not gone unnoticed by retailers, and many businesses have already taken security precautions to protect themselves and their gift card customers. Here are a few ways that retailers can fight back against brute force data breaches from programs like GiftGhostBot.
- Limit Customer Balance Checking Attempts – This is the most obvious method by which retailers can prevent loss of data. Limiting the number of times that a particular customer or IP address can check a gift card balance per hour or per day is a very effective method of reducing the ability of “brute-force” attackers like GiftGhostBot to steal data.
Outside of the gift card market, most websites already use these sorts of preventative measures on their login screens, allowing users only a small number of attempts to enter the correct password for their account. If the user fails to do so, their account will be locked.Retailers can use this same method to prevent GiftGhostBot from performing effectively. No legitimate consumer would need to check more than, say, 10 or 20 gift card balances per day. By implementing a limit on the number of balance checks that can be performed per day, retailers can protect themselves and their customers.
- Stop Using Online Gift Card Balance Services – Most retailers are not going to take this step – the convenience of checking gift card balances online outweighs the risks of data theft in most cases – but if a retailer knows they’re being targeted by a botnet like GiftGhostBot, they can stop offering online gift card balance checking services temporarily. Instead, they can allow customers to check their gift card balances by calling automated, touch-tone voice programs. Most major retailers already have these services implemented, to handle customers who need to check their gift card balances, but may not be willing or able to access the Internet.Obviously, this is not an ideal solution, but it can be used temporarily while security vulnerabilities of online balance-checking infrastructure are addressed.
- Utilize Rapid Response Systems To Shut Down Balance Services In Case Of An Attack – These GiftGhostBot attacks happen very quickly – often too quickly for IT staff to respond adequately. Retailers can adopt an automated rapid-response system that will deny access to balance services if suspicious activity is detected. If a suspicious pattern of activity is detected, balance services can be denied to the IP addresses that could be part of an attack, and IT staff would be notified, allowing them to quickly solve the issue, and prevent theft of customer data.
- Implement Strict Security Measures On Gift Cards – This is another solution that’s not very popular among most retailers, but it’s a very effective way of reducing gift card fraud. Retail gift cards can be built with more strict security measures – such as requiring a PIN during every purchase, or requiring the address or ZIP code from which the card was purchased. This dramatically improves security, and reduces the chance of theft to nearly 0, but makes things much more difficult for everyday retail customers. They may not remember the ZIP code that the gift card was purchased from, or may get confused when setting up a PIN. So, while this is a great way to reduce the threat of botnet attacks like GiftGhostBot, it may also reduce the number of gift card sales from a retailer – which is a bit counterproductive.These are a few of the ways that the thousands of companies targeted by GiftGhostBot and other botnets have responded. Now let’s take a look at what consumers can do to reduce their chances of being targeted by these brute-force programs, and avoid losing their gift card balances.
How Consumers Can Protect Themselves From Losing Their Gift Card Balances
- Use Gift Cards As Quickly As Possible – The best way consumers can prevent the loss of their gift card balances is to use them right away. When gift cards sit around activated, they represent a prime target for thieves. This is especially true of gift cards that you’ve had for a while. If you go to check the balance and it shows $0, you may not even remember that you had money left on it – and thieves can get away undetected. So don’t let your gift cards sit around. Use them or sell them as quickly as you can. Doing so will reduce your chances of being targeted by botnets like GiftGhostBot.
- Keep Records Of Your Gift Card Balances – If you can’t spend a gift card immediately, it’s a good idea to keep a comprehensive record of your gift card balances. Check the balance of your card online, and take screenshots or photos of the balance, and the date that you last used the card. By keeping thorough details of your gift card balances, you may be able to recover your lost balance in case of an attack, as you’ll have proof that you’ve been maliciously targeted, and haven’t spent the balance yourself.
- Contact Retailers In Case Of Balance Loss – If you’ve lost a gift card balance to a hacker using a botnet like GiftGhostBot, you should contact the relevant retailer right away. They could be unaware of the attack, so it’s a good idea to warn them as soon as possible, so that they can take appropriate action. Global botnets like GiftGhostBot do pose a threat to both retailers and consumers, but by following these simple tips, retailers and consumers can both reduce their chances of being targeted by hackers who are seeking gift card information.
Got Gift Cards You Don’t Want? Sell Them Now At EJ Gift Cards!
If you can’t use a gift card, there’s a good chance that somebody else can – and that they’ll pay cash for it! That’s why EJ Gift Cards is in business. We buy all of your unwanted gift cards, and we pay you cash for your remaining balances via PayPal.
So don’t put yourself at risk for gift card loss, and don’t waste the balance that’s sitting around on your unwanted gift cards. Check out our list of accepted gift cards, get an offer for your gift card, and sell it to EJ Gift Cards for cash. It’s just that simple.