Gift card hack exposed – you pay, they play – Naked Security
Thanks to Bill Kearney of Sophos Rapid Response for his work on this article.
If you’ve read the recent Sophos 2021 Threat Report, you’ll know that we deliberately included a section about all the malware out there that isn’t ransomware.
Sure, ransomware understandably hogs the media headlines these days, but cybercriminality goes way beyond ransomware attacks.
Indeed, as we’ve noted before, many ransomware incidents happen due to other malware that infiltrated your network first and brought in the ransomware later on.
In fact, many network intrusions don’t involve malware at all, because cybercriminals have plenty of other ways of bleeding money out of your users, your company, or both.
Here’s an example that the Sophos Rapid Response team came across recently – a opportunistic network intrusion that was much less sophisticated than a typical ransomware or data stealing attack, but dangerous and disconcerting nevertheless.
Worse still for the employees of the business, these crooks weren’t specifically after the company as a whole, but seemed to attack the network simply because it represented a convenient way of hacking away at lots of individuals at the same time.
Very simply put, the crooks were after as many accounts as they could access to buy as many gift cards as they could as quickly as possible.
As you probably know, gift cards that you purchase online are typically delivered by email to a recipient of your choosing as a secret code and a registration link.
So, receiving a gift card code is a bit like getting hold of the number, expiry date and security code from a prepaid credit card – loosely speaking, whoever has the code can spend it.
Although gift cards are meant to be used by the intended recipient only – they’re not supposed to be transferable – there’s not much to stop the recipient allowing someone else to use them if they choose, and that means they can be sold on the cybercrime underweb.
And for all that a $200 gift voucher, sold illegally online for, say, half its face value, doesn’t sound like much…
…crooks with access to a whole company’s worth of users – in this story, the company’s VPN supported about 200…
