by Paul Ducklin
You might be forgiven for thinking that cybercrime is almost all about ransomware and cryptocoins these days.
In a ransomware attack, the crooks typically blackmail you to send them cryptocurrency in return for giving you your stolen data back (or for not selling it on to someone else).
In a cryptocoin attack, the crooks typically take your cryptocurrency for themselves, perhaps by exploiting a bug in the trading software you use, or by stealing your private keys so they have direct access to your cryptocurrency wallet.
This sort of criminality sometimes involves amounts reaching tens of millions of dollars, or even hundreds of millions of dollars, in a single attack.
But gift card fraud still fills a distressing niche in the cybercrime ecosystem, where a gang of crooks redeem gift cards that you paid for, either because you were convinced that those cards were earmarked for something else, or because the crooks got temporary access to one of your online accounts that allowed them to buy gift cards on your dime.
Indeed, the US Department of Justice announced this week the indictment of four suspected gift card scammers, and alleges that that these four had ended up with more than 5000 fradulently obtained cards to spend on themselves.
…but if we reasonably assume an average of $200 a gift card (we know that in many scams, crooks come away with more than that on each card), we’re still looking at $1,000,000 of ill-gotten gains in this court case alone.
And the people who lose money in these scams aren’t multinational companies, or cyberinsurers, or megacorporations with financial reserves to tide them over.
The victims here are almost always people just like you, or your grandmother, or your favourite aunt, or your innocent and well-meaning friends.
Buying or acquiring gift cards with someone else’s money is a sneaky trick, because gift cards are generally intended to be sent to someone else rather than to show up at the purchaser’s house.
Cybercriminals who had a few minutes of access to the online account you have with your favourite consumer goods retailer, for example, might not be able to make much money out of you by directly ordering a bunch of brand new smart TVs or games consoles.
Sure, jobbing crooks love products of that sort because they’re easy to “flip” as second-hand items on online trading sites. (We’ve heard of crooks boasting that they can “sell” hot items like phones and widescreen TVs online before they actually steal them, thus not only matching supply to demand but also minimising the time needed to “hold” the hooky items.)
But blindly ordering such products online using someone else’s account leaves the crooks with a tricky problem: how to effect delivery?
If the delivery service will only supply items to the address that the card is registered to, the crooks have to hang around your property in the hope of intercepting the delivery before you notice it yourself and realise something is afoot.
If the delivery service will accept alternative addresses, then the crooks are still stuck with using a location at which they can be caught in the act of acquiring property that they can’t reasonably account for.
Gift cards, however, are intended to be bought by person X and then transmitted, typically electronically, to recipient Y for them to spend on themselves as they choose, perhaps even in another country.
These days, you typically just receive a “here’s a gift for you” email containing a magic code or web URL you can use to redeem the card, with the expectation that you’ll spend it on yourself, either online or in a store of your choice in a location that suits you.
Indeed, some artisan cybergangs seem to specialise in gift card scams, like the group that the Sophos Rapid Reponse Team came across in the runup to Christmas last year.
In this scam, the crooks got into a company network, but rather than scouring the servers for data to steal or automatically launching a ransomware across the whole network, they logged in manually but systematically to computer after computer, as end user after end user.
As they tried out each computer, they fired up the local user’s browser to check whether they’d left themselves logged into their email account.
If so, the crooks attempted to access a wide range of likely personal accounts for that user, either getting straight in because the user hadn’t logged out from those accounts either, or doing an immediate password reset and capturing the reply via the already-compromised email account.
Then, for each user, hundreds in all, the crooks attempted to buy gift card after gift card, for which they needed to supply little more than an email address for the recipient of the “gift”.
Fortunately, in this case, few of the users thus hacked had left credit card details on file for the e-commerce sites involved, so the crooks didn’t get away with much…
…and thus the trick was rumbled (and Sophos Rapid Response called in) because numerous users noticed suspicious uncompleted purchases in their virtual shopping carts, and raised the alarm.
Romance scammers also like to arrange for gift card “payments”, luring their victims – who have often been tragically tricked into thinking they’ve found a genuine friend, or even their future spouse, via a fraudulent profile on a dating site – to remit them money this way.
Asking for gift cards no doubt feels more intimate, and is perhaps less widely linked with fraud in victims’ minds, than the old-school approach of demanding cash money paid via a wire transfer service.
LEARN MORE ABOUT ROMANCE SCAMMERS
In this recent DOJ indictment, the scam was operated using the sort of network of “affiliates” or “associates” that commonly crop up in modern cybercriminality, everywhere from malware-as-a-service gangs to mobile phone fleeceware scammers.
The DOJ alleges that:
[Three of the defendants] obtained over 5,000 gift cards from a group known as the “Magic Lamp.” [These defendants] caused the gift cards to be distributed to “runners” like [the fourth defendant], who used the funds on the cards at Target stores in Los Angeles and Orange County and elsewhere to purchase, among other items, consumer electronics and other gift cards. Through the purchases, returns and other transactions at multiple Target stores, the defendants and their co-conspirators sought to conceal the fact that the gift cards had been originally funded with fraudulent proceeds. [. . .]
[The perpetrators] induced victims to send proceeds to defendants’ associates, and defendants then conspired to launder the proceeds.
If you haven’t watched our “romance scammers” video above, please do so – not just to stop yourself from getting waylaid by golden-tongued false friends, but also to learn some tips for how to approach any friend or family member who gets sucked in by these manipulative criminals.
Scammers of the “send me a gift” sort aren’t just slick at parting their fake sweethearts from their money, but also well-practised in coaching their victims on how to reject any suggestions from their genuine friends that they are part of a fraud.
In some cases, this ultimately results in the victim not only being drained of money but also alienated from their friends and family.
And never use gift cards as a payment option for non-personal matters, no matter how convincing the person at the other end might sound about how gift cards are a convenient way of saving time, avoiding bank fees, speeding up payment, circumventing possible corruption at a specific government office, or any of a number of excuses that are commonly trotted out by crooks.
In the words of Acting US Attorney Tracy Wilkison from California:
This case offers an important reminder to consumers that gift cards are for presents to friends and loved ones – they should never be used for payments to any government or corporate entity. Don’t be fooled by callers claiming to be with a government agency, a bank or any other institution demanding that you purchase gift cards. There is no reason to purchase a gift card to resolve a problem with an account, your Social Security number or a supposed criminal case.
This advice seems so obvious when it’s written down in plain English, but don’t forget that if you or one of your more vulnerable friends or family members get into the habit of talking to one of these scamming “associates” on a regular basis, it’s easy to end up yielding to their blandishments when they act lovingly, or feeling threatened when they pile on the verbal pressure.
This sort of scammer works at this sort of crime all day, every day as if it were a regular job, so you can be sure that they not only have the gift of the gab, but also know all the social engineering tricks that lure people into doing things they usually never would.
Simply put: if in doubt, don’t give it out.
LEARN MORE ABOUT SOCIAL ENGINEERING
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.