Distil Networks Uncovers Sophisticated Gift Card Fraud Bot

By   ISBuzz Team
Writer , Information Security Buzz | Mar 27, 2017 03:30 am PST

Major Retailers Facing GiftGhostBot Attacks Attempting to Defraud Consumers

SAN FRANCISCO. Distil Networks, the global leader in bot detection and mitigation, today announced that its analyst team has uncovered an Advanced Persistent Bot (APB) that targets gift card payments processes on websites. The bot, named GiftGhostBot, is attempting to defraud consumers from the money loaded on gift cards from a variety of retailers around the globe. Any website, from luxury retailers, to supermarkets, to major coffee distributors, with gift card processing capabilities could be a target. Distil has seen this attack on almost 1,000 customer websites.

Beginning on Feb 26, 2017, the Distil Networks Security Analyst team noticed increased bot activity on customer websites with gift card processing capabilities. Fraudsters are using malicious automation to test a rolling list of potential account numbers and requesting each balance. If successful in obtaining the balance, fraudsters can resell the account number on the dark web or use them to purchase goods. GiftGhostBots are being distributed across worldwide hosting providers, mobile ISPs, and data centers, executing JavaScript to avoid detection. On one customer website, the analyst team recorded 4 million bad bot requests per hour – nearly 10 times their normal level of traffic. On average, the operators of GiftGhostBot  can test as many as 1.7 million gift card account numbers per hour.

“Like most sophisticated bot attacks, GiftGhostBot operators are moving quickly to evade detection, and any retailer that offers gift cards could be under attack at this very moment,” said Rami Essaid, CEO of Distil Networks. “While it is important to understand that retailers are not exposing consumers’ personal information, consumers should remain vigilant. Check gift card balances, contact retailers and ask for more information. In order to prevent resources from being drained, individuals and companies must work together to prevent further damage.”

GiftGhostBot has multiple features that confirm it is an APB:

  • It is lying about its identity by rotating user-agent strings.
  • It is heavily distributed across various hosting providers, mobile ISPs, and data centers all over the world.
  • It is technically sophisticated when it executes JavaScript, mimicking a normal browser.
  • It is persistent in that if it is blocked using one technique, it adapts and returns using a different attack technique.

Additional Resources

Recent Posts