A Cyber-criminal enterprise is mass testing millions of usernames & passwords per day in a hunt for loyalty card data.
Threat players are compromising up to 100,000 inboxes daily in a campaign that targets gift card & customer-loyalty program data in hopes of reselling it or cashing in on freebies, a security researcher has found.
The players behind the scam—outlined in a post by Brian Krebs on Krebs on Security—have been “mass-testing millions of usernames & passwords against the world’s major email providers each day” for the past 3 years, according to the post.
“Some of the most successful & lucrative online scams employ a ‘low-&-slow’ approach — avoiding detection or interference from researchers & law enforcement agencies by stealing small bits of cash from many people over an extended period,” Krebs noted in the post.
Quoting an anonymous source Krebs calls “Bill,” the group tries to authenticate between 5-10m email username/password combos daily, with only about a .1% strike rate—which still means the player “comes away with anywhere from 50,000 to 100,000 of working inbox credentials,” he wrote.
While you might think that “whoever is behind such a sprawling crime machine would use their access to blast out spam, or conduct targeted phishing attacks against each victim’s contacts,” that’s not what’s happening, Krebs wrote.
Large E-Mail Providers
“Based on interactions that Bill has had with several large email providers so far, this crime gang merely uses custom, automated scripts that periodically log in & search each inbox for digital items of value that can easily be resold,” he stated.
Moreover, their primary focus seems to be to steal the “low-hanging fruit” of gift-card data, which amounts to “cash in your inbox,” Bill told Krebs.
“Whether it’s related to hotel or airline rewards or just Amazon gift cards, after they successfully log in to the account their scripts start pilfering inboxes looking for things that could be of value,” the researcher told Krebs, according to the post.
Growing Target for Hackers
The campaign appears similar to 1 identified in 2018, where 2 teens were arrested for using dictionary-attacks against millions of inboxes in an effort to crack them open & steal rewards points to make purchases & sell account credentials on illicit markets.
The exploitation of rewards-points programs is a growing criminal enterprise, especially those accounts associated with travel, according to a Flashpoint 2018 analysis. As previously reported, researchers have been tracking a number of small specialty shops in the Russian-language underground specialising in rewards-point abuse
Most of these stores are advertising access to the login credentials of customer accounts for travel & hospitality rewards programs. Flashpoint observed there is a relatively high demand for these kinds of logins.
According to the Krebs report on the most recent incident, the anonymous source Bill observed that in about half of the cases of stolen credentials in the current campaign leveraged the email standard internet messaging access protocol (IMAP) to crack accounts open.
IMAP is the email standard used by email software clients like Mozilla’s Thunderbird & Microsoft Outlook—checks the email credentials to see if they are legitimate.
The threat players use automated systems to log in to each inbox & search for a variety of domains & other terms related to companies that maintain loyalty & points programs, issue gift cards & handle their fulfilment.
Gift Card Number
These reward programs are attractive because the accounts can be cleaned out & deposited onto a gift card number that can be resold quickly online for 80% of its value, Bill told Krebs, according to the post.
“These guys want that hard digital asset — the cash that is sitting there in your inbox,” Bill explained. “You literally just pull cash out of peoples’ inboxes, & then you have all these secondary markets where you can sell this stuff.”
Gift Card Benefits
Threat players even will use the credentials to seek new gift card benefits on behalf of victims, if that option is available, he mentioned.
Victims of the scam were found on “nearly all major email networks,” with several large ISPs in Germany & France being targeted in particular, according to the post.
While the scam may seem a bit strange, 1 security expert stated it’s the natural culmination of several trends.
As security solutions & protections to combat payment fraud improve, cyber-criminals have to find cleverer ways to make money from online scams, outlined Uriel Maimon, Senior Director of Emerging Technologies at web-app security provider PerimeterX.
Finding approaches that are several steps away from the initial point of exploitation also helps them cover their tracks & exploit trusted relationships between online commercial partners, he commented.
“As IT ecosystems get more connected, people are using their social & email providers to log into other sites, & sites are ‘trusting’ email addresses as ‘safe,’” Maimon explained.
“The fraud can be at the end of the funnel — that is, the exploitation happens elsewhere — in this case the email provider – but the damage is done on an unrelated site where the gift card is redeemed.”
The gift-card scam “underscores the fact that everything is connected in security,” and that organisations should think beyond merely monitoring for payment fraud to ensure online transactions are secure, he concluded.