[masraum]

https://www.consumerreports.org/scams-fraud/gift-card-scam-thieves-can-drain-money-off-cards/

Quote:

A Simple Scam

The process of stealing the money off gift cards can vary. With the simplest method, a hacker takes cards off the rack, writes down the gift cards' numbers, and scratches off the strip on the back of the cards to get the security codes.

Once he has that information, he puts replacement strips—easily available online—over the codes and exits the store.

Later, after you buy one of those cards and load money onto it, the hacker gets an alert that tells him that the funds have been loaded onto the card.

"The crooks can see as soon as someone activates the card, because they've automated all this with software that periodically checks the card balance via the internet," says David Farquhar, a unit chief within the FBI's Criminal Investigative Division who explained the crime techniques to Consumer Reports last year.

But some gift card providers have safeguards. "If a card has not yet been sold and the number has been pinged online multiple times, the retailer will shut that card down," says Teri Llach, chief marketing officer for Blackhawk Network, a major provider of gift cards in-store and online. "The system identifies cards that may be compromised."
Laundering The Money

Because gift cards generally can't be redeemed for cash, after the crook finds cards with funds on them, he then starts a roundabout process of laundering the money.

For example, he might place an ad on a consumer-to-consumer online marketplace or auction website for an item that he doesn't actually own, say, a video game console that sells for $600 in a retail store but that he is selling for $500. When a buyer quickly snaps up that deal, the buyer sends his clean money to the fraudster.

The criminal, meanwhile, uses the dirty money loaded onto the stolen gift card to purchase the console from an online retailer, which ships the game player right to the buyer.
Botnet Attack

More sophisticated hackers skip the physical gift cards on racks in stores and go directly to the websites where consumers access their gift card balances. There, the hackers attack using botnets, networks of thousands of hijacked individual personal computers and Internet of Things (IoT) devices, which carry out automated actions.

The botnets test millions of combinations of gift card account numbers (which may follow discoverable sequencing patterns) and stolen PIN passwords to try to log into online gift card accounts that have money loaded onto them. The botnets try to avoid detection by mimicking individual human browsing behavior and blending in with a website’s genuine visitor traffic.

In one such “brute force” attack on a gift card website earlier this year, a botnet dubbed GiftGhostBot logged up to 4 million gift card balance requests per hour by testing a rolling list of potential account numbers and PINs, says Rami Essaid, CEO of Distil Networks, a company which detects and defends businesses against botnets. When the botnet finds a money balance, the hackers can sell the account number on the criminal dark web or use it to purchase goods directly.

“More than 90 percent of the login activity for online accounts set up to manage gift cards is coming from botnet attackers who want to take over accounts,” says Shuman Ghosemajumder, chief technical officer for Shape Security, another firm that defends company web and mobile applications from automated cyberattacks. Not all gift card companies use botnet defense services.