The most significant victims have been online foods-shipping companies and suppliers, claims cybersecurity business PerimeterX.
Cybercriminals have lengthy used e-present card ripoffs to bilk tens of millions out of unsuspecting victims, but the attacks are typically deployed close to the holidays when folks are speeding to load up on gifts for loved types.
Attackers are moving properly further than the getaway season and are now leveraging the coronavirus pandemic and subsequent lockdown to force these e-gift card scams at a rate unseen prior to.
Researchers with cybersecurity firm PerimeterX have launched new information exhibiting an 820% boost in e-gift card scams due to the fact March, when most people started keeping household to protect on their own from COVID-19.
SEE: Zero trust security: A cheat sheet (free of charge PDF) (TechRepublic)
“E-reward card attacks usually concentrate on perfectly-known makes for the reason that their e-gift cards are ‘hot goods’ in the secondary current market. Among the brand names safeguarded by PerimeterX, we saw e-reward card assaults keep reasonably steady in the e-commerce vertical, on the other hand, considering the fact that the COVID-19 lockdown commenced we observed a skyrocketing increase of 820% in these types of attacks, mostly in on the internet food shipping and delivery providers,” PerimeterX’s Yossi Barkshtein wrote in a website this 7 days.
“In a person case in point, a complex e-reward card attack on a major-5 US retailer lasted all over two months—a extremely very long time for a large bot assault. For the duration of this time, tens of 1000’s of requests to e-present card web pages were being malicious.”
In a past write-up, Barkshtein wrote that the electronic present card company will be worthy of additional than $381 billion in 2020, and authorities say it will grow to virtually $600 billion by 2026. He cites numbers from TotalRetail that present practically 20% of all getaway gift card product sales in 2019 came from digital gift playing cards.
Most e-reward card cons just take two types: Card cracking and account takeover. Barkshtein described that account takeover-based mostly attacks are considerably much more frequent and commonly additional prosperous than cracking attacks. Big organizations like Amazon, Apple, Google, Nike, Walmart, Goal, Want, Starbucks, McDonalds, Adidas, and Nordstrom all enable their buyers to give electronic gift playing cards and now have to shell out tens of millions investigating incidents similar to theft with the cards.
SEE: Credential stuffing assaults on international media companies are spiking (TechRepublic)
TechRepublic previously noted that present card scams have come to be ever more prevalent for cybercriminals to use because they do not have to have lender accounts or traceable fund transfers and can usually be marketed or traded on the internet for about 70% of their initial benefit.
Cybercriminals normally obtain batches of stolen account usernames and passwords just before leveraging them applying a distributed assault by numerous proxies or IP addresses. Barkshtein observed that several of the men and women driving these attacks are quite professional, and a substantial range of equipment are out there broadly equally on the online and dark web.
At the time they have verified the stolen account operates and isn’t really blocked by a retailer or web site, cybercriminals can then start off to make money.
“Abusing the account for e-present playing cards is carried out both by using an existing equilibrium or by shopping for e-gift cards making use of the account facts if probable,” Barkshtein wrote.
SEE: Twitter accounts of Elon Musk, Invoice Gates and many others hijacked to endorse crypto fraud (TechRepublic)
“The monetization can be done in 3 key strategies: Use the stolen present card equilibrium for buys, use the account stability to obtain e-present cards and sell them on secondary markets and change e-present playing cards into dollars on devoted platforms this kind of as cardcash.com.”
He shared graphs exhibiting several spikes in this illegal exercise in the course of the past number of months, highlighting how some assaults go on for months even though others are reasonably quick.
PerimeterX pulled knowledge from its personal clients to clearly show the selection of assaults. For 1 top rated-five US retailer shopper, the bot attack lasted for two months, with countless numbers of destructive e-present card webpage requests.
For a top vacation brand, PerimeterX scientists uncovered that total website traffic to the e-gift card web site had attained 99% owing to spikes in destructive traffic. The same goes for one more foodstuff delivery corporation the business protects, and the analyze contains charts demonstrating that together with the enhanced need owing to the pandemic, there was an improve in the number and breadth of assaults.
SEE: Ransomware accounts for a third of all cyberattacks versus organizations (TechRepublic)
“E-gift card bot assaults are frequently difficult to detect. Most of these attacks are performed employing botnets that are highly dispersed and use a number of IP addresses, a number of ASNs and many distinct gadgets. The end result is assaults that mimic human behavior and are difficult to detect and block,” extra Barkshtein.
He went further into the assault on the best-five retailer, showing how the cybercriminals utilized hundreds of IP addresses to “manipulate and bypass the bot security,” one thing Barkshtein reported was indicative of knowledgeable and subtle hackers.
The weblog provided a number of techniques internet sites or retailers can get to protect themselves from these harming assaults, which are progressively proving to be pricey for companies. Corporations ought to make sophisticated e-reward card figures so that they can’t be emulated or guessed.
“To avert cybercriminals from stealing e-reward playing cards and emptying balances, make it more challenging for them. Straightforward or equivalent mixtures of digits and characters are very easily guessed by standard algorithms utilised for card cracking. If you pick out to do the job with a 3rd-celebration vendor for developing e-reward cards, usually perform good owing diligence, in particular concerning the vendor’s information and data protection,” Barkshtein noted.
“2nd, with bots improving regularly and mimicking consumer behavior, world wide web and mobile software house owners ought to fork out a lot more notice to highly developed automatic threats. That contains intently checking application visitors and precisely site visitors styles on e-reward card relevant web pages.”