The growing threat of bot-based gift card fraud
John Witter • October 27, 2020
With Black Friday arriving on 27 November, many consumers are already planning their shopping sprees to get the best deals ahead of the Christmas season. And millions more will be rushing to get their hands on bargains on the day itself.

But with the increased popularity of digital gift cards for making online purchases, there is a growing threat that shoppers and e-commerce businesses need to be wary of: gift card fraud.
Gift card fraud

This bot-based type of attack comes in two forms: gift card cracking and account takeover. Both rely on batches of stolen account usernames and passwords that malicious actors use to launch distributed attacks through multiple proxies or IP addresses.

Gift card cracking involves automated bots guessing millions of combinations of digits, usually based on known gift card numbers. Once the bots gain access, criminals can check balances and empty the cards by purchasing items or transferring funds to other cards.

Attacks via account takeover deploy bots to take unauthorised ownership of online accounts using stolen usernames and passwords. Criminals then gain credentials to a credit card or loyalty rewards programme and try to redeem the victim’s points for gift cards and cash, using online gift card exchange services.

Once a bot has confirmed that a stolen account works and isn’t blocked by a retailer or website, it then uses an existing gift card balance or buys new gift cards using the account information.
The growing trend of malicious bot activity

More purchases will likely be made online this holiday season as people stay away from physical shops due to the pandemic. That trend is expected to fuel a further increase in these bot-driven types of fraud.

There has been an 820% increase in digital gift card fraud since March 2020, according to cyber security firm PerimeterX. And experts predict gift card fraud will be worth $600 billion by 2026, up from $381 billion in 2020.

When you consider a post-holiday spending report by Blackhawk Network – which found that close to 20% of US holiday gift card sales in 2019 came from digital gift cards – you can see the attraction for cybercriminals.

In addition, this type of fraud doesn’t require bank accounts or traceable fund transfers. And it’s hard to detect, due to the botnets being highly distributed and using multiple IP addresses and different devices. The large number of IP addresses also helps criminals bypass bot protection methods, such as CAPTCHA.
How to avoid gift card fraud

Many companies – Adidas, Amazon, Apple, Google, McDonalds, Nike and Starbucks, to name a few – have already spent huge amounts of money to investigate incidents related to gift card theft.

But e-commerce players can take additional steps to reduce the risk of gift card fraud. This includes creating complex card numbers, which reduces the chance of numbers being correctly guessed. Another strategy is to pay closer attention to advanced automated threats by monitoring application traffic patterns on digital gift card pages.

E-commerce businesses can also deploy technology specifically designed to combat bot-based threats.

Variti’s comprehensive bot protection solutions overcome the issue of multiple IP addresses by blocking malicious automated requests, rather than blocking IP addresses. We also provide real-time protection to stop fraudsters in their tracks by tracking patterns rather than collecting data.
To understand more about how automated attacks can affect your business and how Variti solutions can help you combat them, get in touch today.
Unique bot and DDoS mitigation solutions for your websites and APIs - so you can forget about bots, have a clear picture of your traffic as well as gain new customers, and ensure the existing ones are happy.
Legal stuff

33 King's Road
ООО "Варити"

ИНН 7723434732, ОГРН 1167746227945
109004, г. Москва,
ул. Николоямская, д 52, строение 1
Copyright © 2016 — 2022 Variti Limited. All rights reserved.