Professional Documents
Culture Documents
by
you@example.com
Subscribe
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 1/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
by Paul Ducklin
Thanks to Bill Kearney of Sophos Rapid Response for his work on this
article.
If you’ve read the recent Sophos 2021 Threat Report, you’ll know
that we deliberately included a section about all the malware out
there that isn’t ransomware.
Worse still for the employees of the business, these crooks weren’t
specifically after the company as a whole, but seemed to attack
the network simply because it represented a convenient way of
hacking away at lots of individuals at the same time.
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 2/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
Very simply put, the crooks were after as many accounts as they
could access to buy as many gift cards as they could as quickly as
possible.
Learn more
As you probably know, gift cards that you purchase online are
typically delivered by email to a recipient of your choosing as a
secret code and a registration link.
So, receiving a gift card code is a bit like getting hold of the
number, expiry date and security code from a prepaid credit card –
loosely speaking, whoever has the code can spend it.
And for all that a $200 gift voucher, sold illegally online for, say,
half its face value, doesn’t sound like much…
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 3/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
The criminals in this case didn’t care whether the victims left out of
pocket were the individual employees, the company itself, or both.
As you’ll see, the main reason that the crooks were rumbled and
repelled early was because a sysadmin at the affected company
acted as soon as they spotted that something was wrong.
For all that we’re proud that the Sophos Rapid Response team was
able to react quickly and deal with the attack, the vital part was
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 4/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
How it happened
These crooks didn’t have time to clean up after themselves – or
perhaps they weren’t intending to anyway – but as far as we can
tell, the attack unfolded simply and quickly.
We can’t be sure exactly how the crooks got in to start with, but
what we do know is:
The VPN server had not been set up to require 2FA. This
means that a successful password phished from a single user
might have been enough to give them their beachhead. (Despite
the unpatched vulnerability, we suspect this is how the
attackers broke in this time.)
Once “inside” the VPN, the crooks were able to use RDP
internally to jump from computer to computer. This meant
they could open up web browsers on user’s computers and see
which online accounts they’d not logged out of, including their
personal email accounts (e.g. Gmail and Outlook.com). Make
sure you secure RDP as sturdily from inside your network as
from outside.
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 5/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
The accounts that the crooks went after included Best Buy,
Facebook, Google Pay, PayPal, Venmo and Walmart.
(We can’t tell whether the crooks left the unsuccessful purchases
behind because they were caught before they could clean up,
because they hoped that they’d be overlooked and purchased by
mistake by the legitimate account holder later on, or because they
were focused on speed and didn’t care what happened afterwards.)
This tool left behind a logfile that reveals that the criminals were
actively hunting for personal and confidential data relating to both
the company and to its staff.
We don’t know how much the criminals were able to acquire from
the files they were hunting for, if anything, but we do know what
they were interested in, which included:
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 6/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
That reaction very quickly led to the crooks getting kicked out of
the network.
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 7/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
What to do?
The speed and determination of these crooks, speculatively logging
into email account after email account, is an excellent reminder of
why defence in depth is important.
Log out from accounts when you aren’t using them. Yes, it’s
a hassle to log back into accounts every time you need to use
them, but combined with 2FA it makes it much harder for
crooks to take advantage of you if they get access to your
browser.
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 8/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
Free tools
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 9/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
Sophos Home
Protect personal PCs and Macs
Hitman Pro
Find and remove malware
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 10/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
Comment
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 11/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
Name
Website
Post Comment
Recommended reads
APR
08 2
BY PAUL DUCKLIN
Italian charged
with hiring “dark
web hitman” to
murder his ex
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 12/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
APR
16 6
BY PAUL DUCKLIN
S3 Ep28.5:
Hacking back – is
attack an
acceptable form of
APR
26 3
BY PAUL DUCKLIN
Naked Security
Live – Just how
(un)safe is
AirDrop?
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 13/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security
Privacy
Legal
Intercept X
Intercept X for Server
Intercept X for Mobile
XG Firewall
Sophos Email
Sophos Wireless
© 1997 - 2021 Sophos Ltd. All rights reserved. Powered by WordPress VIP
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 14/14