Many a Mickle Makes a Muckle
Compared to other types of online fraud, gift card scams are relatively rare. Moreover, victims are often unaware, as many gift cards remain unclaimed anyway. Their value is also relatively low, usually between $25 and $100. But, as the saying goes, many a mickle makes a muckle… The information in Brian Krebs’ story comes from a trusted source in the cybersecurity industry, which Krebs has dubbed Bill. The story tells the tale of a “gift card gang” that accesses 50,000 to 100,000 inboxes daily to steal low value gift card and customer loyalty program data. Krebs calls it the “low and slow” approach. Using automated systems, the fraudsters simply steal small bits of cash from many victims over a long period of time. Thus, avoiding interference from security researchers and law enforcement agencies. Still, the theft could nonetheless dampen a happy holiday or joyous anniversary.
Mass-Testing of Usernames and Passwords
Since 2018, Krebs’ source has been watching a gift card gang that mass-tests millions of usernames and passwords. Bill is not sure where the credentials come from. But it’s likely that they originate from leaked data, often available for free or for a small fee on the dark web. From the millions of credentials tested daily, tens of thousands actually work. Contrary to most cybercriminals, however, this gang does not exploit the victim’s inbox to send spam or phishing emails, or launch BEC scams, for example. Their sole focus is to capture gift card and loyalty program data.
Gang Members Leaving a Footprint
In about half the cases the credentials are being checked via IMAP. Many email software clients use this email standard, including Mozilla’s Thunderbird and Microsoft Outlook. Bill revealed that there are victims on nearly all major email networks. Rather strangely, ISPs in Germany and France are heavily represented. “With some of these international email providers we’re seeing something like 25,000 to 50,000 email accounts a day get hacked,” Bill said. Unfortunately, it’s not easy to identify the company or determine which people or employees’ inboxes are being compromised. This type of mapping is more complicated with Cloud services like Gmail and Office 365, for example. “Moreover, with the IMAP traffic we’re looking at, the usernames being logged into are any of the million or so domains hosted on Office365, many of which will tell you very little about the victim organization itself.”
Securing Email Traffic
In general, companies have many tools available for securing and analyzing email traffic. They can funnel access through a web page or VPN, for example. And add an extra layer of security using advanced authentication controls, like device fingerprinting, http header anomalies, etc. Users themselves can block account take-over by using multi-factor authentication. Bill has shared his data with some of the bigger ISPs in Europe. Sadly, months later, he’s still seeing the same inboxes being compromised. “The problem is that many large ISPs lack any sort of baseline knowledge of or useful data about customers who access their email via IMAP”, explains Bill. Consequently, they can’t tell the difference between legitimate and suspicious logins. Brian Krebs adds that there’s no incentive for ISPs to tackle this issue. “Let’s say you’re an ISP that does have the instrumentation to find this activity and you’ve just identified 10,000 of your customers who are hacked. But you also know they are accessing their email exclusively through an email client. What do you do? You can’t flag their account for a password reset […] and if they start receiving error messages whenever they try to access their email, they are likely going to get super pissed off and call up the ISP mad as hell.”
Top Search Terms Used by the Gang
To illustrate the types of gift cards and loyalty programs the gang is looking for, Brian Krebs shared a spreadsheet that includes the top inbox search terms the fraudsters are using. “The numbers on the left in the spreadsheet represent the number of times during a 24-hour period where the gift card gang ran a search for that term in a compromised inbox”, explains Brian Krebs. Fraudsters can instantly redeem e-gift cards in-store or online, or choose to resell the gift card number. Usually, they’ll get 60% to 80% of its value back. By reverting points or rewards into gift cards, hackers quickly turn stolen data into hard cash.