What do the likes of AirBnB, Amazon, American Airlines, Chipotle, Dunkin Donuts, Nike, Marriott, Target, Subway, and Walmart, have in common? Well, a database of the gift cards of these companies along with several others was hacked and sold online.
The starting price for the auction was $10,000 with a buy-now price of $20,000. These gift cards were promptly snatched up by others and posted for sale online once again.
The same actor, the next day, offered to sell 330,000 credit and debit cards as well, with a starting price of $5,000 and a buy now price of $15,000. It is believed that the database contained the victims’ card details including the card number, expiration date, and bank name.
The data, however, did not contain the CVV and the card holders’ names. The data regarding the gift cards and payment cards were sold within a few days.
It is believed that the total value of the gift cards sold online amounted to a massive $38 million!! This hack was discovered in February 2021, by Gemini researchers. The hack has been linked to a reputable Russian hacker. More than 895,000 gift card details were stolen across 3,000 companies.
It is believed that the hacker had targeted online gift card shop, Cardpool.com, between 4th February 2019 and 4th August 2019. Cardpool.com operated as a gift card marketplace where individuals could sell unwanted gift cards to the shop and others could buy them.
Cardpool.com has now shut down due to the pandemic and a visit to the website reads “We tried our best to outlast the pandemic, but unfortunately, we couldn’t make it to the end.” While the website was active it had no fewer than 300,000 monthly visitors, the majority of whom were from the USA.
This act of Cybercriminals targeting websites selling gift cards is not something new. Cybercriminals would use stolen payment cards to purchase gift cards and then sell the gift cards to Cardpool.
If a bank were to determine that the gift card had been purchased with a stolen payment card, they could connect with the merchant bank or gift card vendors that issued the gift card and request they void the gift card. Unfortunately, this process can prove cumbersome and time-consuming, making it a rare occurrence and granting cybercriminals a wider time window to pull off their scheme.
Apparently after selling the gift card on a marketplace like Cardpool, the cybercriminal would have already pocketed the profit from Cardpool.com, and the merchant that sold the gift card to the cybercriminal would be stuck paying the chargeback.
Theoretically, Cardpool would then also need to pay back the customer who bought the now-voided gift card but, according to the BBB, the shop frequently refused to refund scammed customers.
This hack brings to light quite a few things, namely, how easily hackers can target a website and access details of cards, and the different rates and demand for each type of card. It also highlights that the hackers act with speed to cash out the stolen cards, thus bringing their venture to a fruitful end.