Yossi Barkshtein, threat intelligence researcher at PerimeterX

In March 2020, customers of clothing retailer J. Crew received a concerning email from the company warning that hackers might have compromised their usernames and account passwords in a credential-stuffing attack.

According to a filing with the State of California, attackers had grabbed sensitive account information such as credit card types, partial payment numbers, expiration dates and billing addresses. These accounts also store shipping addresses and account balances from inputted gift cards. J. Crew claimed that the attack affected less than 10,000 customers, but the attack had been continuing for nearly a year, making it challenging for the retailer to have full insights into the extent of the attack.

That the attack could continue for so long undetected, as well, is a red flag; credential stuffing attacks are hard to detect and can operate under the radar indefinitely. In credential stuffing attacks, online gift card balances are a favorite target. Users rarely notice when attackers drain those balances and the transactions do not pass through rigorous fraud detection systems run by credit cards and other financial processors.

J. Crew was not alone in suffering this type of attack. U.K. supermarket giant Tesco suffered a similar massive attack that affected 600,000 of its 12 million Clubcard loyalty program members in March 2020. Cybercriminals tested numerous different names and password combos pulled from a dark web database of stolen usernames and passwords in this attack. Users often keep the same passwords across multiple accounts because it is easier to manage and remember; credential stuffers count on this security lapse and exploit it en masse by testing thousands or millions of combos on different online accounts like Nintendo and Tesco. Another similar attack recently occurred against video conference service Zoom (500,000 accounts stolen).

So-called “credential stuffing” or account takeover (ATO) attacks like that against J. Crew likely foreshadow the coming season when attackers step up their campaigns during the height of holiday shopping. The shift to e-gift cards for presents means more and more consumers will have bigger balances on their e-gift cards in the coming months. Retailers, however, should not despair. They can prevent holiday harm and safeguard their customers’ accounts and their brand reputations.

The rapid rise of e-gift card attacks

As shoppers have spent less and less time in malls, in-store gift card usage declined. Conversely, e-gift card usage grew steadily with online commerce.

COVID has turbocharged this growth as more and more shoppers opted for digital plastic over physical gift cards. According to InComm’s 2020 Consumer Pulse: Gift Cards Report on 16,000 consumers compiled by payment technology company InComm, online purchases of gift cards grew by more than 100% in the first two quarters of 2020. This blew by year-over-year growth of 24% for the same period in 2018 and 2019.

According to a July 2020 survey released by branded digital payments provider Blackhawk Network, over half of all shoppers queried received a digital gift card. What’s more, those digital gift cards are equally likely to be used by the purchaser rather than given as a gift, indicating a fundamental shift in consumer behavior towards self-gifting. Gifters who purchased the cards for others did so in part because they could send the cards immediately, with less hassle than with physical cards.

Signs of a holiday e-gift card perfect storm are brewing

That growth in digital gift cards should accelerate further into the first holiday season fully impacted by massive changes in consumer behaviors that began mid-March 2020. Attackers follow the money, and the money has moved into online shopping. Last year, the U.S. Federal Bureau of Investigations issued a rare warning about scammers asking for payment in gift cards. That warning highlighted the rise of gift cards as a black-market currency.

In recent months, we have seen clear signs that attackers are focusing more firepower on e-gift card attacks. We recorded an 820% increase in e-gift card attack attempts against food delivery services in the months after the COVID pandemic became widespread. In the July 4 holiday shopping rush, we saw another small spike in e-gift card attack activity. With the coming holidays likely to be the busiest ever for online shopping, the volume of dollars flowing into e-gift cards is likely to hit record levels.

How cyber criminals steal e-gift cards

There are two primary types of e-gift card attacks: e-gift card “cracking” and account takeover (ATO) based e-gift card attacks. Cracking involves brute force attempts to guess passwords on loyalty account or gift card log-in pages. These attacks require a lot of computing power, which is expensive, and are relatively easy to spot. In comparison, ATO e-gift card attacks are both more common and have better success rates than cracking attacks.

The constant data breaches likely drive the past decade’s success rate, which leaked millions and perhaps billions of username and password combinations to bad actors. People tend to reuse the same password in multiple locations: one survey by password manager LastPass found that 50% of people don’t bother to change their passwords for the breached accounts even after a breach.

When they are well executed, e-gift card bot attacks are difficult to detect. Many attackers use highly distributed botnets with multiple IP addresses and many different devices or simulated devices. These attacks closely resemble normal human behavior with a slow and steady drip of attempts to log in to e-commerce sites. To improve the hit rate of their e-gift card attacks (and further reduce chances of detection), hackers can purchase at a premium already validated combinations of username (or email) and passwords on the dark web.

For the most part, e-gift card attackers are knowledgeable malicious hackers familiar with a wide variety of tools and techniques. They can pick from a growing list of tools, like Sniper and OpenBullet, all of which are for sale for a low price ($100 or less) or free to download online. Attackers use “residential proxies” to disguise attacks as normal traffic. Bundles of these proxies are sold online at relatively affordable prices, for less than $50 per month. It is also simple to purchase the “combo lists,” which contain username (or email) and password combinations on the dark web. Prices for each username and password combos range from a few cents per record for unvalidated combinations to $45 per record for clean, well-validated lists.

E-gift card hackers usually test their combos by mounting an initial ATO attack against an unsuspecting target with relatively easy defenses. This helps them validate the list. Some hackers merely seek to validate lists and sell them online. Others then choose to take the attack to the next level and execute ATO attacks with those credentials against multiple sites, taking advantage of users’ tendency to reuse passwords and username (or email) combos.

How merchants can stop holiday e-gift card crime

Multiple layers of defense are required to stop e-gift card attacks effectively. First, merchants should make sure that they are using basic security tools like Web Application Firewalls. These can block the more blatant botnet attacks that use higher volume attack methods, impacting site performance or even crash a site. To combat ATO attacks, merchants may want to require two-factor authentication (2FA) to verify identity and provide an extra layer of security. That said, 2FA can slow down transactions and cause more abandonment for legitimate shoppers.

More sophisticated technology solutions can examine a combination of behavior and characteristics of each log-in attempt to spot behaviors or other indicators that it might be a malicious e-gift card bot. These solutions use machine learning to identify shared characteristics of e-gift card bot attacks and interrogate or block attempts to access a log-in page that appear suspicious.

Ecommerce operators can also use novel challenge technologies easier for humans than traditional CAPTCHAs but inaccessible even to the most modern CAPTCHA cracking systems. These human challenges can appear quite simple – like turning an animal to face upwards or downwards – but are much harder for bots because they require an understanding of context rather than finding a semi-obfuscated pattern of letters and numbers or symbols.

To ensure such systems are installed and tuned before the coming Black Friday and Cyber Monday shopping rush, merchants should think now about their defense strategy and what they need to do to stop the e-gift card bots.

Tackling e-gift card fraud early will make for a happier holiday season for merchants. They will spend less time, money and brand equity combating e-gift card attacks in what will likely be the most epic holiday shopping season on record for digital gifts.

PerimeterX provides security services for websites and mobile applications.