A hacker sold about 895,000 gift cards and 330,000 stolen payment cards worth about $38 million on a dark web forum after allegedly compromising a gift card marketplace.
Gemini Advisory says that the payment cards originated from a 2019 data breach associated with the online discount gift card shop Cardpool.com. The website bought unwanted gift cards and sold them at a discount, before shutting down in early 2021.
The seller is a reputable threat actor with many listings since 2010, including databases, credit cards, and personally identifiable information (PII).
Gift cards from over 3,000 brands sold on the dark web
Offers to sell gift cards from 3,010 companies surfaced on a Russian-speaking dark web forum in February 2021.
The gift cards belonged to various companies, including Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, Walmart, among others.
The starting bidding price of the stolen gift cards was $10,000, with a “buy now” option for a price of $20,000. The threat actor closed the sale within a short time.
Gemini Advisory says that stolen gift cards sell for 10% of their value but the hacker sold this batch for an unusually low amount leading to the quick sale. Gemini speculates that the gift cards were potentially overpriced or had very low balances.
“Typically, compromised gift cards sell for 10% of the card value in the dark web; however, the 895,000 cards offered from the breach were priced at roughly 0.05% of the card value.”
Gemini suggests that cybercriminals could use the gift cards to buy goods and resell them through online shops such as Amazon. This is possible because gift cards require very little verification and are hard to track. The threat actors could also sell the gift cards to other gift card shops like Cardpool.
The company noted that hackers usually monetized stolen gift cards through Cardpool, but the cards were later voided by merchants after customers had bought them.
“Theoretically, Cardpool would then also need to pay back the customer who bought the now-voided gift card but, according to the BBB, the shop frequently refused to refund scammed customers,” Gemini states.
Within a day of selling the gift cards, the same hacker offered 330,000 payment and debit cards for sale on the same dark web hacking forum.
The cards contained the owners’ billing address, card number, expiration date, and the issuing bank’s name. However, they lacked the cardholder’s name and the Card Verification Value (CVV). This is because the Payment Card Industry Data Security Standard (PCI DSS) prohibits merchants from storing customers’ CVV numbers. This suggests that the attacker likely obtained the data by hacking Cardpool’s backend.
“Attackers can acquire backend access to online shops through a variety of methods, including exploiting vulnerabilities in sites’ content management systems (CMS) and brute-forcing admin login credentials,” the report says.
Gemini Advisory ruled out that the hackers used a credit card skimmer such as Magecart because the data would also have included the CVV and cardholders’ names.
The initial bidding price for the payment cards was $5,000 but interested parties could buy the cards immediately for $15,000. The hacker closed the sale within a few days.
According to Gemini Advisory, the cards were offered at a discounted unit price of $0.05, which was unusually low because of the lack of cardholders’ names, CVV, and the fact that the breach potentially occurred in 2019.
“Logically, the more information about a victim that a payment card record includes, the more they will pay. For example, an exposed Card Not Present card—a card that was compromised from a transaction that was not conducted in person—has a median price of $12 in the dark web if it includes the CVV,” the report states.
“Hackers continue to go where the money is and the money has flooded into online gift cards,” Kim DeCarlis, CMO at PerimeterX. “Historically, PerimeterX has seen spikes in gift card scams and hacks on every significant holiday, including Memorial Day, Mother’s Day, Father’s Day, Thanksgiving, and Valentine’s Day.”
#Hacker on a Russian #darkweb forum sold 895,000 gift cards worth $38 million belonging to 3,010 companies. #cybersecurity #respectdata
Click to Tweet
DeCarlis added that gift card theft undermines customer trust, affects revenue, and adds unnecessary costs to the affected organization.
“When an attack happens, security, risk, and operations teams can spend considerable energy, time, and money remediating security issues. We’ve recommended four ways to block these attacks, ranging from random e-card number generation to deploying a system that can distinguish bots from humans. With several big holidays coming up, now is the time for retail e-commerce businesses to work to get ahead of these attacks.”