AirBnB, Amazon, American Airlines, Chipotle, Dunkin Donuts, Nike, Marriott, Target, Subway, and Walmart all have something in common. A database of these companies’ gift cards, as well as many others, was hacked and sold online.
The auction’s starting price was $10,000, with a buy-now price of $20,000. Others quickly snapped up these gift cards and re-posted them for sale online.
The next day, the same threat actor advertised 330,000 credit and debit cards for sale, with a starting price of $5,000 and a buy now price of $15,000. The database is thought to have contained the victims’ credit card details, including the card number, expiration date, and bank name.
The CVV and names of the cardholders were not included in the database. The data for gift cards and payment cards was sold in a matter of days.
The overall value of the gift cards sold online is estimated to be in the region of $38 million!! Gemini researchers discovered this hack in February 2021. A well-known Russian hacker has been linked to the attack. About 895,000 gift card numbers were stolen from 3,000 businesses.
The hacker is thought to have attacked Cardpool.com, an online gift card retailer, between February 4th and August 4th, 2019. Cardpool.com was a gift card platform where people could sell their unused gift cards and others could purchase them.
Owing to the pandemic, Cardpool.com has now shut down, with the website stating, “We tried our best to outlast the pandemic, but unfortunately, we couldn’t make it to the end.” The website received over 300,000 monthly visitors while it was online, the majority of which were from the United States.
This isn’t the first time that cybercriminals have targeted websites that sell gift cards. Cybercriminals would buy gift cards with stolen credit cards and then sell them to Cardpool.
If a bank discovers that a gift card was purchased with a stolen credit card, it will contact the merchant bank or gift card vendor who issued the card and request that the gift card be invalid. Unfortunately, this procedure can be time-consuming and inconvenient, making it an uncommon occurrence and giving cybercriminals more time to carry out their scheme.
The cybercriminal would have pocketed the profit from Cardpool.com after selling the gift card on a website like Cardpool, and the seller who sold the gift card to the cybercriminal would be stuck paying the chargeback.
Cardpool will theoretically have to reimburse the consumer who purchased the now-voided gift card, but the BBB reported that the shop often refuses to refund scammed customers.
This hack reveals a number of things, including how easily hackers can target a website and gain access to card data, as well as the various prices and demand for each form of card. It also emphasises that the hackers move quickly to cash out the stolen cards, taking their scheme to a successful conclusion.