E-Gift Card Bots – A Deep Dive

How does an e-gift card attack happen and what can you do to protect against them?

In our previous blog, we talked about e-gift card bot attacks, what they are and what drives them. In this blog, we will elaborate on the anatomy of an attack, including an inside look into what tools and techniques are used. We will also discuss how to protect your web and mobile applications from these attacks.

In the last blog, we discussed two main types of e-gift card attacks: e-gift card cracking and account takeover (ATO) based e-gift card attacks. When comparing these, we’ve seen that ATO based e-gift card attacks are both more common and have better success rates than cracking attacks. This success rate also has something to do with the recent total increase in ATO attacks during the COVID19 pandemic, such as the attack on Tesco, and massive data breaches on services that became more popular during this time, such as Nintendo and Zoom. These attacks are also usually harder to detect and are more dangerous, since they are conducted by experienced and sophisticated cybercriminals.

Cybercriminals who conduct e-gift card attacks are usually very knowledgeable and experienced black-hat hackers who are familiar with a wide variety of tools and techniques. These tools make them more efficient and harder to detect and block. Let’s look into some of the tools and methods they use for these attacks.

(Disclaimer: These attacks are illegal and we do not condone them. The following details are intended to aid in attack mitigation.)

Anatomy of ATO based e-gift card attacks

Sponsorships Available

Sponsorships Available

Sponsorships Available

Most e-gift card attacks launch an ATO attack first to ensure success. Here is the typical anatomy of such attacks:

First, the attackers acquire a decent combo-list of usernames and passwords, preferably validated, and (Read more...)