A hacker had allegedly sold around 895,000 gift cards along with 330,000 stolen payment cards on a Russian darknet forum. The stolen cards amounted to $38 million. The hacker has allegedly compromised a gift card marketplace.
The Gemini Advisory mentioned that the payment cards had originated from a data breach that had taken place back in 2019. The data breach had been associated with the online discount gift card shop named Cardpool.com. The website had bought the unwanted gift cards and then sold them at a discounted price before they shut down their business in early 2021.
The seller had been identified to be a reputed threat actor having many listings since 2010. The listings included credit cards, databases and personally identifiable information or PII.
A Russian darknet forum had offered to sell off gift cards from 3010 companies in February 2021. The gift cards belonged to several companies, including Chipotle, Marriott, Amazon, Airbnb, American Airlines, Dunkin Donuts, Target, Subway, and Walmart. The bidding price of the stolen gift cards started at $10,000. The stolen gift cards that were priced at $20,000 had a “Buy Now” option. However, the threat actors had closed the stolen gift cards sale within a short time.
The Gemini Advisory had mentioned that the stolen gift cards had been sold for 10% of their value. But the hacker sold the cards from the batch in the Russian darknet forum at a meagre price, causing quick sales. Gemini had speculated that the gift cards either had been potentially overpriced or bore very low balances.
“Typically, compromised gift cards sell for 10% of the card value in the dark web; however, the 895,000 cards offered from the breach were priced at roughly 0.05% of the card value.”
Gemini had suggested that the cybercriminals could possibly use the gift cards for buying goods and resell them via online eCommerce platforms such as Amazon. This is possible as the gift cards require limited verification and have been challenging to track. The hackers could also sell the gift cards to other gift card shops such as Cardpool.
The company had also noted that the hackers generally monetized the stolen gift cards via Cardpool. But later, the cards had been voided by the merchants following the customers’ acquisition.
“Theoretically, Cardpool would then also need to pay back the customer who bought the now-voided gift card but, according to the BBB, the shop frequently refused to refund scammed customers,” Gemini states.
Just one day of selling the gift cards, the same hacker had offered 330,000 debit and payment cards for sale on the same Russian darknet forum or a popular hacking forum on the dark web.
The stolen cards contained details such as the owner’s billing address, expiration date, card number and the issuing bank’s name. Nevertheless, they lacked the details such as the Card Verification Value (CVV) and the cardholder’s name. The details were missing owing to the fact that the Payment card Industry Data Security Standard (PCI DSS) prohibits the merchants from storing the customers’ CVV numbers. This suggests that the hacker had likely acquired the data through hacking Cardpool’s backend.
“Attackers can acquire backend access to online shops through a variety of methods, including exploiting vulnerabilities in sites’ content management systems (CMS) and brute-forcing admin login credentials,” the report says.
The Gemini Advisory had ruled out that the threat actors had utilized a credit card skimmer like the Magecart as the data would also have contained the CVV and the cardholders’ names. The initial bidding price for the payment cards had been $5,000. However, the interested parties could purchase the cards immediately for $15,000. The threat actor had discontinued the sale in just a few days.
As per the Gemini Advisory, the stolen cards had been offered at a discounted price of $0.05 per unit. This was unusually low as it did not have the CVV and the card holders’ names, and also the undeniable fact is that the data breach had potentially occurred back in 2019.
“Logically, the more information about a victim that a payment card record includes, the more they will pay. For example, an exposed Card Not Present card—a card that was compromised from a transaction that was not conducted in person—has a median price of $12 in the dark web if it includes the CVV,” the report states.
“Hackers continue to go where the money is and the money has flooded into online gift cards,” Kim DeCarlis, CMO at PerimeterX. “Historically, PerimeterX has seen spikes in gift card scams and hacks on every significant holiday, including Memorial Day, Mother’s Day, Father’s Day, Thanksgiving, and Valentine’s Day.”
DeCarlis had added that the gift card theft had undermined the customer trust. Added unnecessary price to the affected organization and had affected the revenue.
“When an attack happens, security, risk, and operations teams can spend considerable energy, time, and money remediating security issues. We’ve recommended four ways to block these attacks, ranging from random e-card number generation to deploying a system that can distinguish bots from humans. With several big holidays coming up, now is the time for retail e-commerce businesses to work to get ahead of these attacks.”
Source: CPO Magazine
Disclaimer: Read the complete disclaimer here.
