You might be forgiven for thinking that cybercrime is almost exclusively ransomware and cryptocurrency these days.
In a ransomware attack, crooks usually blackmail you into sending them cryptocurrency in return for returning your stolen data to you (or not reselling it to someone else).
During a cryptocurrency attack, crooks usually take your cryptocurrency for themselves, perhaps by exploiting a bug in the trading software you are using, or by stealing your private keys so that they have direct access to your cryptocurrency wallet.
This type of crime sometimes involves amounts reaching tens of millions of dollars, or even hundreds of millions of dollars, in a single attack.
But gift card fraud still occupies a nerve-wracking niche in the cybercrime ecosystem, where a bunch of crooks trade gift cards you paid for or because you were convinced those cards were for something else. , or because the crooks had temporary access to one of them. from your online accounts which allowed them to purchase gift cards at your leisure.
Indeed, the US Department of Justice this week announced the indictment of four suspected gift card fraudsters, and alleges that these four ended up with more than 5,000 fraudulently obtained cards to spend on them- same.
This type of crime might not reach the stratospheric financial territory of ransomware criminals, or the truly cosmic amounts seen in cryptocurrency attacks …
… but if we reasonably assume an average of $ 200 per gift card (we know that in many scams, scammers walk away with more than that on each card), we’re still looking at $ 1,000,000 of ill-gotten gains in that one alone. judicial affair .
And the people losing money in these scams are not multinational corporations, cyber insurers, or mega-companies with the financial reserves to overcome them.
The victims here are almost always people like you, or your grandmother, or your favorite aunt, or your innocent and well-meaning friends.
Gift cards – always for someone else
Buying or acquiring gift cards with someone else’s money is a sneaky trick, as gift cards are usually meant to be sent to someone else rather than show up at the store. Buyer.
Cybercriminals who have had a few minutes of accessing the online account you have at your favorite consumer goods retailer, for example, might not be able to make much money with you by directly ordering a bunch of new ones. smart televisions or game consoles.
Of course, scammers love products like this because they are easy to “return” as used items on e-commerce sites. (We’ve heard scam artists brag about being able to “sell” popular items like phones and widescreen TVs online before stealing them, which not only matches supply with demand, but also helps to match demand. minimize the time it takes to “hold” eye-catching items.)
But blindly ordering such products online using someone else’s account leaves crooks with a tricky problem: how to deliver?
If the delivery service only delivers items to the address the card is registered to, the crooks have to hang around your property in the hopes of intercepting the delivery before you yourself notice and you realize that something is brewing.
If the delivery service accepts alternate addresses, crooks are still forced to use a location where they can be caught in the act of acquiring goods that they cannot reasonably account for.
Gift cards, however, are meant to be purchased by person X and then passed, usually electronically, to recipient Y for them to spend as they see fit, maybe even in another country.
These days you usually get a ‘here’s a gift for you’ email with a magic code or web url that you can use to redeem the card, in the hope that you will spend it on yourself, online. or at a store of your choice in a location convenient for you.
Gift card fraudsters and how they work
Indeed, some homemade cybergangs seem to specialize in gift card scams, such as the group that the Sophos Rapid Response team met in the run up to Christmas last year.
In this scam, crooks broke into a corporate network, but rather than scouring servers for data to steal or automatically launching ransomware across the network, they logged in manually but systematically. computer after computer, as end user after end user.
As they tried each computer, they would launch the local user’s browser to check if they had allowed themselves to be logged into their email account.
If so, the crooks have attempted to gain access to a wide range of probable personal accounts for that user, either by logging in directly because the user had not logged out of those accounts either, or by resetting immediately entering the password and capturing the response via the already-compromised email account.
Then, for each user, hundreds in total, the scammers attempted to buy gift card after gift card, for which they needed to provide little more than an email address for the recipient of the “gift”. “.
Fortunately, in this case, few of the hacked users left credit card details in the files of the involved e-commerce sites, so the crooks didn’t get away with much …
… And so the trick was scolded (and Sophos Rapid Response called) because many users noticed unfinished suspicious purchases in their virtual shopping carts and sounded the alarm bells.
Romance scammers also like to arrange gift card “payments”, luring their victims – who have often been tragically tricked into believing they have found a real friend, or even their future spouse, via a fraudulent profile on a dating site – to get their money back this way.
Asking for gift cards undoubtedly seems more intimate, and perhaps less broadly tied to fraud in the minds of victims, than the old-fashioned approach of demanding cash paid through a service. bank transfer.
LEARN MORE ABOUT ROMANCE SCAMMERS
Video not visible above? Watch directly on YouTube or read the transcript.
Click on the cog to speed up playback or activate subtitles.
What happens to gift cards?
In this recent DOJ indictment, the scam was operated using the kind of network of “affiliates” or “associates” that commonly crop up in modern cybercrime, everywhere, from malware gangs as that service to cell phone crooks.
The DOJ alleges that:
[Three of the defendants] Obtained over 5,000 gift cards from a group known as the “Magic Lamp”. [These defendants] distributes gift cards to “runners” as [the fourth defendant], who used the funds on the cards at Target stores in Los Angeles and Orange County and elsewhere to purchase, among other items, consumer electronics and other gift cards. Through purchases, returns, and other transactions at multiple Target stores, the defendants and their co-conspirators sought to cover up the fact that the gift cards were originally funded with fraudulent products. [. . .]
[The perpetrators] prompted the victims to send the proceeds to the defendants’ associates, and the defendants then conspired to launder the proceeds.
What to do?
If you haven’t watched our romance scammers video above, please do. – not only to keep you from being tricked by fake, golden-tongued friends, but also to learn some tips on how to approach any friend or family member who gets sucked in by these manipulative criminals.
“Send me a gift” scammers are not only adept at separating their bogus lovers from their money, but they are also well trained in teaching their victims how to dismiss any suggestion from their real friends that they are part of it. ‘fraud. .
In some cases, this ultimately results in the victim not only being deprived of money, but alienated from friends and family as well.
And never use gift cards as a payment option for non-personal matters no matter how convincing the person on the other end may seem. on how gift cards are a convenient way to save time, avoid bank charges, speed up payments, bypass possible corruption in a specific government office, or one of the many common excuses given by crooks.
In the words of acting American lawyer Tracy Wilkison of California:
This case provides an important reminder to consumers that gift cards are for friends and loved ones – they should never be used for payments to a government or business. Don’t be fooled by callers claiming to be from a government agency, bank, or any other institution requiring you to purchase gift cards. There is no reason to buy a gift card to resolve an issue with an account, your Social Security number, or a suspected criminal matter.
This advice seems so obvious when written in simple English, but remember that if you or one of your more vulnerable friends or family members make a habit of talking to one of your friends on a regular basis. these “associates” of con artists, it is easy to end up giving in to their flattery when they act with love, or to feel threatened when they build up the verbal pressure.
This kind of scammer works this kind of crime all day, every day as if it were a regular job, so you can be sure that they not only have the gift of gossip, but that they also know all the social engineering tricks that attract people. doing things they usually never would.
Simply: if in doubt, do not give it away.
LEARN MORE ABOUT SOCIAL ENGINEERING
Click and drag on the sound waves below to jump to any point in the podcast. You can also listen directly on Soundcloud.