Cybercrooks are using a bot to automate the process of breaking into and draining online gift card accounts.
The software nasty, named GiftGhostBot, attempts to steal cash from money-loaded gift cards provided by a variety of retailers around the globe, according to Distil Networks.
Any website – from luxury retailers to supermarkets to major coffee distributors – with gift card processing capabilities could be a target. Distil has seen this attack on almost 1,000 websites since it first detected it late last month.
Fraudsters are using the bespoke cybercrime tool to generate lists and lists of account numbers, and request the balance for each number. Whenever this brute-force attack throws up an actual balance, rather than an error or zero, the account number is automatically logged.
GiftGhostBot lies about its identity by using rotating user-agent strings (Credit: Distil)
On average, the operators of GiftGhostBot can test as many as 1.7 million gift card account numbers per hour, we're told.
"Like most sophisticated bot attacks, GiftGhostBot operators are moving quickly to evade detection, and any retailer that offers gift cards could be under attack at this very moment," said Rami Essaid, chief exec of Distil Networks.
"While it is important to understand that retailers are not exposing consumers' personal information, consumers should remain vigilant. Check gift card balances, contact retailers and ask for more information."
More technical details on the GiftGhostBot cybercrime tool can be found in a blog post by Distil Networks here. ®