Gift cards appeal to threat actors because they can use them for four general purposes:
1. Use the stolen balance for personal purchases
2. Convert gift cards into cash on dedicated platforms
3. Sell the gift cardholder’s information (user name, password, serial number, PIN)
4. Use the account balance to buy gift cards and sell them on secondary markets
Threat actors can procure valid gift cards in several ways, such as scamming, phishing, and data breaches. However, in this article, we examine how underground actors illicitly create working gift cards using automated hacking tools called generators and checkers, which are widely available on the underground.
Generators and checkers are widely available on underground forums, each targeting a specific brand. Our research shows that the most-mentioned targets of automated hacking tools are also popular consumer services: Amazon, Netflix, PayPal, Spotify, and Sony (see figure 1).
Figure 1: Companies most targeted by gift card hacking tools since the beginning of 2020
Tools & Methods
Let’s take a closer look at these tools. Generally, actors share them for free in underground forums and markets and design them to be simple to use. They often include tutorials, tips, and methods.
Gift Card Generators
Card generators are shared individually or as a component of a broader cracking package. They generate a unique gift card number that may contain preloaded funds. Even if a gift card isn’t yet activated, the moment it is, the threat actor possessing the card’s number will be the first to gain access to the gift card’s value.
A gift card generator can administer cards of a single retailer (see Figures 4 & 7) or several (Figures 2 & 3). Each retail business is unique, with different numbers representing the card’s ID.
Figure 2: Gift card multi-platform generator
Figure 3: Multiple gift card generator
Figure 4: Steam wallet gift card generator
Actors often post Virustotal links of the shared tool (see figure 5). The card generator (figure 1) was detected and labeled as malicious by 44 security vendors, proving the tool's legitimacy and capabilities to threat actors.
Figure 5: Shared Virustotal link of a gift card generator
The quantity of gift card numbers that can be generated is essentially limitless. However, the challenge is to check and validate them to see which works.
Gift Card Checkers
Threat actors use gift card checkers for validating generated (or stolen) card numbers.While each retailer offers the ability to check gift card balances, it’s not feasible to do this manually by the thousands. Therefore, it is preferable to use an automated checker.
Gift card checkers are usually part of a package of carding tools available on the underground. Often, checkers can also be included with generators, so the entire process is completed in a single step (see figure 6).
Figure 6: Gift card checker combined with card generator
Figure 7: Amazon Gift card generator + checker package
Gift card generators and checkers are a problem for both retailers and consumers. These tools may generate cards worth thousands of dollars, siphoning money from consumers and businesses and impacting overall trust in gift cards.
Consumers should check their gift card balance regularly and report any suspected fraudulent activity to the relevant retailer.
Retailers and gift card issuers, meanwhile, should monitor the tools available on the underground so they can create countermeasures. They should use more complex codes to prevent generators from enumerating the numbers, and they should implement controls to detect and block checkers from validating a large quantity of codes. Furthermore, they should monitor their gift cards' internal traffic to detect unusual expenses, locations, multiple cards held by one customer, and other activities that indicate fraudulent activity.