Hooded Hacker
The dark web marketplaces are often a hive for criminal activity iStock

Cybercriminals operating on the dark web have reportedly developed a fresh way of conducting gift card fraud by using automated bots to scour the web and locate legitimately-issued cards that remain unused, security researchers have found.

The sale of gift cards has long existed on dark web marketplaces, often used to by hackers to "cash out" after stealing financial information. "Carded" gift cards – those purchased with stolen financial details – are typically sold for a fraction of their real-world value.

According to fresh analysis from Flashpoint, a cybersecurity firm, the latest methods are driving the costs of stolen card data down to as little as 5% of their proper worth as dark web vendors struggle to complete for the attention of potential buyers.

Flashpoint researchers said they have witnessed a spike in dark web chatter using the terms "cracking" and "gift cards" since 2015, when businesses around the world started disrupt cybercrime enterprises by bulking up the security around "carded" plastic.

To get around this, hackers found that automated bots could be used to crack the numbering conventions used by each gift card issuer – be it Amazon, eBay or iTunes.

Using either the legitimate websites' search function or one of the many third-party services that allow users to check card balances, hackers could use such bots to check millions of accounts at once and single out those which still contain money.

This is able to work because most gift card balance checking websites require users to enter full gift card numbers before providing results. Flashpoint said that while it may appear these are protected, hackers can easily bypass their security.

ITunes Gift Card
ITunes Gift Card Apple

In most cases, once an actor identifies a gift card with a balance, they will sell the card's information on the dark web as an "eGift card", Flashpoint said. Once recent bot, uncovered by Distil Networks to be targeting over 1,000 websites, was dubbed GiftGhostBot.

Upon analysis, it had the capability of checking the websites in search of the unused gift cards containing balances. "For a cyber thief, the beauty of stealing money from gift cards is that it is typically anonymous and untraceable once stolen", Distil's experts said.

"Cybercriminals' continued interest in gift card fraud aligns with a common practice among many gift card issuers: the prioritisation of user experience and profits over security," wrote Olivia Rowley, intelligence analyst at Flashpoint, in the analysis published this week (3 May).

The firm claimed the "rising frequency and relative ease" of fraud have forced dark web markets to react. The majority of vendors typically slash prices to 30% of face value, though cybercriminals are now attempting to undercut competition by selling them for much lower.

"Unlike bank-issued credit and debit cards, gift cards are not held to strict anti-fraud standards, which means that many gift cards may lack common-yet-effective security features aimed to help combat fraud," Rowley said.

She continued: "It is also crucial to recognise that many gift card balances remain unclaimed long after being purchased — a fact that further incentivises businesses to continue to market and sell less-secure gift cards despite their rising susceptibility to fraud.

"Consumers of gift cards should recognise that inconsistent security measures among many gift card issuers have made instances of gift card fraud increasingly common."