Cyber-thieves Using GiftGhostBot to Steal Gift Card Balances

Distil Networks discovers a new advanced persistent bot that is stealing money from gift cards at retailers around the world.

Gift Card Theft Bot

Security vendor Distil Networks announced on March 24 that it has discovered an automated bot it is calling GiftGhostBot that is being used to steal retail gift card balances in a global attack.

To date, Distil has seen GiftGhostBot attack approximately 1,000 customer websites, though the actual number of sites impacted globally could be significantly more. The total financial impact from the GiftGhostBot attack isn't known yet either.

"We can't determine an exact dollar amount because we don't know the value of the gift cards themselves," Rami Essaid, CEO of Distil Networks, told eWEEK. "We have to go based on what our clients are telling us and other outside sources.

"With that said, it's safe to say that over the past few years, there have been tens of millions of dollars lost to gift card fraud," he added.

Distil is labeling GiftGhostBot as an advanced persistent bot (APB) as it is sophisticated, steadily evolving and very aggressive. Distil first detected GiftGhostBot on Feb. 26 after investigating an issue a customer raised. Distil is in the business of defending websites against bot attacks. In a 2016 video interview with eWEEK, Essaid explained how his company's platform works.

"One of our customers contacted us to ask why their gift card portion of their website was up, when many of their competitors were down," Essaid said. "The simple answer was that Distil was already protecting them."

As part of its response to the customer, Distil's analyst team began an investigation and examined the growth of bad bot traffic on gift card pages. During the course of the investigation, Distil implemented different techniques to become even more aggressive in blocking the bot but noticed that it would appear blocked but reappear later using different methods to stay hidden.

"We gave it the name GiftGhostBot because of its appearing and disappearing behavior," Essaid said.

GiftGhostBot has an automated scanning capability that tests potential gift card account numbers, requesting a balance from the retailer. If the retailer website returns a positive balance for the gift card, the criminals behind GiftGhostBot move to the next stage of the attack, attempting to resell the gift card account and its unused balance.

Digging deeper, Distill looked across its customer base to see if others had been impacted and found that GiftGhostBot had attacked almost 1,000 sites.

"Our first concern was to make sure our customers were protected," Essaid said. "We made the decision to reveal the information only after seeing how many other websites were affected."

Essaid emphasized that retailers should not be blamed for the GiftGhostBot attack.

"We can't stress enough that the retailers are in no way at fault," he said. "The person at fault is the bot operator, which is most likely a criminal enterprise."

While retailers are not at fault, Distil has several recommendations for them to help minimize the risk of GiftGhostBot. One recommendation is that organizations include a CAPTCHA challenge to help ensure a human, as opposed to a bot, is making a balance request. In addition, Distil suggests that retailers implement rate limiting for gift card balance requests to reduce the risk of automated attacks.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.