Software analysts track gift cards in BEC attacks
A gift card is a form of payment that anyone can use to make purchases online and physically at Shopping malls, retail stores, gas stations and other locations the gift cards are accepted. Also, gift card scams are like other types of business email business scams, where you pretend as a company executive to convince an employee to make wire transfers or some other financial fraud.
We know that after gift cards are stolen, they are sold locally or online through gift card exchanges based on the available data collected by consumers across the globe. Gift cards can be bought locally for approximately 50% of their original amount, depending on the location, while many the virtual gift cards are sold for 80-85% of the original cost. In the case of gift cards purchased online, many of them are traded for Bitcoin, Ethereum, or other digital currencies on cryptocurrency exchanges.
What are the relationships between BEC and Gift Cards?
According to an FBI report in May, the total amount lost worldwide to BEC scams grew by 65% from July 2019 to December 2021, amounting to $43 billion. As security professionals, law enforcement, and corporations upgrade their defences against these methods, attackers constantly add new fraud schemes to their operations. While many of these scammers work in small groups, many are also a part of larger organised crime organisations, transnational gangs, and criminal networks.
Since then, the attackers have upgraded the scam to include payslip redirection, bill fraud, and check fraud. Once the unsuspecting victim has taken the bait and responds to the scammer, they are asked to go to a local store to purchase gift cards, often worth $100 or $500.
An analyst at Cofense decided to track gift cards across 54 active Business Email Compromise (BEC) attacks to see how they were being used. The analysts recently conducted a five-week experiment to see if they could have a more profound knowledge into how gift cards are used by scammers in BEC (Business Email Compromise) attacks.
In a post on their security blog, author Ronnie Tokazowski described how the email security company bought trackable $500 gift cards to see what scammers were doing with them. Software analysts told some cofense staff to use those gift cards to participate in 54 live BEC attacks over a five-week evaluation period to see what they could uncover from their participation.
Analysts expressed surprise at how quickly scammers transferred money, and every card they used was stolen, resold, and used for purchases within 24 hours.
The analysts also discovered that although many scammers eventually accepted Cofense's trackable cards, many initially asked for brand-specific cards like Apple, Steam, or Google Play. A five-week evaluation period to see what they could uncover from their participation.
In one entry of note, an engagement happened between scammer “David Johnson” and staff at Cofense. The scammer told us that a client needed an iTunes gift cards for a total of $1,000. David instructed us to gently scratch off the back of each card, to take a picture of the cards after purchasing the gift cards and email a clear picture to the client at a different Gmail account which is “Lim.”
At this point, Staffs at Cofense ran a background check on the email thread "Lim" which is the scammers name that was different from the name (David) he told us. Some trials were made to convince the scammer that all the stores were sold out of iTunes cards and offered to buy Amazon, iTunes, or Google Play gift cards. David still insisted on getting iTunes gift cards online.
They finally convinced David that they had cash and the scammer agreed that they would also accept Visa cards. They sent $25 dollars to David successfully. He asked if bitcoin vendors were available in the area, as only $25 was sent out of $1,000. He further asked us to load the $25 card with the remaining $900, which led to the end of the conversation.
In this gift card transaction, an unknown person purchased $25 worth of products with GivingLi, a greeting and gift card company. There was no record or any visibility of what product was produced, but it's been clear how fraudsters and scammers send cards and flowers to romance their victims to keep them interested in the conversation for more extended periods.
When the decision to begin this research started, there was no idea where it would lead. Using gift cards to make purchases on Amazon appeared to be a regular expense, but discovering fake items being sold in Myanmar, digital greeting cards, businesses that don't seem to exist, and transactions for energy firms should have been taken into account.
When it comes to what happens to gift cards that have been taken in BEC attacks, a lot of intriguing things came up with many more questions than answers.
Even though it seems irrational, persuading swindlers to accept their gift cards was particularly challenging. If things differed from their pre-written scripts, which were $100 denomination, it seemed to confuse them. Another measure that scammers used was the timing of the receipts, and they were very cautious not to use them if they were outside the normal time frame to be used.