5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

by

PRODUCTS FREE TOOLS FREE SOPHOS HOME

Have you listened to our podcast? Listen now

Gift card hack exposed –

you pay, they play
24 NOV 2020 4
Data loss, Vulnerability

× Don't show me this again

Get the latest security news in your inbox.

you@example.com

Subscribe

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 1/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

Previous: Naked Security Live – B… Next: S3 Ep8: A conversation with…

by Paul Ducklin

Thanks to Bill Kearney of Sophos Rapid Response for his work on this
article.

If you’ve read the recent Sophos 2021 Threat Report, you’ll know
that we deliberately included a section about all the malware out
there that isn’t ransomware.

Sure, ransomware understandably hogs the media headlines these

days, but cybercriminality goes way beyond ransomware attacks.

Indeed, as we’ve noted before, many ransomware incidents happen

due to other malware that infiltrated your network first and
brought in the ransomware later on.

In fact, many network intrusions don’t involve malware at all,

because cybercriminals have plenty of other ways of bleeding
money out of your users, your company, or both.

Here’s an example that the Sophos Rapid Response team came

across recently – a opportunistic network intrusion that was much
less sophisticated than a typical ransomware or data stealing
attack, but dangerous and disconcerting nevertheless.

Worse still for the employees of the business, these crooks weren’t
specifically after the company as a whole, but seemed to attack
the network simply because it represented a convenient way of
hacking away at lots of individuals at the same time.

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 2/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

Very simply put, the crooks were after as many accounts as they
could access to buy as many gift cards as they could as quickly as
possible.

OTHERS STOP AT NOTIFICATION. WE TAKE

ACTION
Get 24/7 managed threat hunting, detection, and response delivered by
Sophos experts

Learn more

As you probably know, gift cards that you purchase online are
typically delivered by email to a recipient of your choosing as a
secret code and a registration link.

So, receiving a gift card code is a bit like getting hold of the
number, expiry date and security code from a prepaid credit card –
loosely speaking, whoever has the code can spend it.

Although gift cards are meant to be used by the intended recipient

only – they’re not supposed to be transferable – there’s not much
to stop the recipient allowing someone else to use them if they
choose, and that means they can be sold on the cybercrime
underweb.

And for all that a $200 gift voucher, sold illegally online for, say,
half its face value, doesn’t sound like much…

…crooks with access to a whole company’s worth of users – in this

story, the company’s VPN supported about 200 people – can try to
acquire not just one but potentially hundreds of pre-paid gift cards
in short order.

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 3/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

The criminals in this case didn’t care whether the victims left out of
pocket were the individual employees, the company itself, or both.

Rumbled and repelled

The good news here is that the crooks only got as far as spending
$800 of other people’s money before the Rapid Response team
were able to kick them out of the network, and as far as we know,
the fraudulent purchases were detected and reversed in time so
that no one ended up out of pocket.

As you’ll see, the main reason that the crooks were rumbled and
repelled early was because a sysadmin at the affected company
acted as soon as they spotted that something was wrong.

If you watched last week’s Naked Security Live video, entitled

“Beat the Threat“, you’ll know that in our tips at the end of the
video, we said:

Any tipoff you can get that suggests a crook might be in

your network is a tip worth looking at. [… Just] because
you are looking at something that […] you can’t quite
justify, but that you saw before and it was OK last time –
don’t assume it’s OK this time. […] That’s a bit like
hearing your smoke alarm going off in the kitchen and
thinking, ‘You know what, last time it was steam from
the kettle that triggered it by mistake, so I’m just going
to assume that’s what’s happening [again].’ This time, it
could be something on the stovetop that’s already set on
fire.

For all that we’re proud that the Sophos Rapid Response team was
able to react quickly and deal with the attack, the vital part was

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 4/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

that the victim triggered a proper response quickly in the first

place.

How it happened
These crooks didn’t have time to clean up after themselves – or
perhaps they weren’t intending to anyway – but as far as we can
tell, the attack unfolded simply and quickly.

We can’t be sure exactly how the crooks got in to start with, but
what we do know is:

The victim’s VPN server hadn’t been patched for several

months. This alone might have been enough to let the crooks
break in – a exploit existed for the old version that could, in
theory, have allowed the crooks to sneak into network.

The VPN server had not been set up to require 2FA. This
means that a successful password phished from a single user
might have been enough to give them their beachhead. (Despite
the unpatched vulnerability, we suspect this is how the
attackers broke in this time.)

Once “inside” the VPN, the crooks were able to use RDP
internally to jump from computer to computer. This meant
they could open up web browsers on user’s computers and see
which online accounts they’d not logged out of, including their
personal email accounts (e.g. Gmail and Outlook.com). Make
sure you secure RDP as sturdily from inside your network as
from outside.

The crooks used individual email accounts to do a raft of

password resets. On computers where the crooks could
access email accounts due to cached credentials, but couldn’t
get into other interesting accounts because the user was logged
out of those, they did password resets via the email account.

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 5/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

The accounts that the crooks went after included Best Buy,
Facebook, Google Pay, PayPal, Venmo and Walmart.

Fortunately, it seems that only a few of the users attacked in this

way had saved their credit card details for automatic re-use when
making purchases, which is probably why the crooks only managed
a few hundred dollars of gift card purchases before being spotted.

Apparently, numerous users who needed to re-reset their altered

passwords to get back into their accounts noticed that there were
gift cards queued up for purchase in their online shopping carts,
but that the crooks had not been able to finalise those purchases.

(We can’t tell whether the crooks left the unsuccessful purchases
behind because they were caught before they could clean up,
because they hoped that they’d be overlooked and purchased by
mistake by the legitimate account holder later on, or because they
were focused on speed and didn’t care what happened afterwards.)

But there’s more

As with many attacks, this one didn’t have just a single purpose,
although getting hold of “money for sale” seems to have been the
primary motivator here.

The crooks also downloaded and installed a popular free file

search tool to help them look for interesting files across the
network.

This tool left behind a logfile that reveals that the criminals were
actively hunting for personal and confidential data relating to both
the company and to its staff.

We don’t know how much the criminals were able to acquire from
the files they were hunting for, if anything, but we do know what
they were interested in, which included:

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 6/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

Bank statements relating to individuals and the business.

Merchant agreements for accepting credit card payments.

Credit card applications.

Roster details for company drivers.

As far as we can tell, the file searching seems to have been a

secondary interest to these criminals, who were but determined
and persistent in their attempts to make fraudulent purchases
against as many users of the network as they could.

Nevertheless, secondary interest or not, the crooks weren’t after

gift cards only.

After all, personal and corporate data that’s supposed to be private

also has value on the cybercrime underground – not just for resale
to other criminals, but as a vehicle for helping further criminal
activity.

Rapid reaction pays off

Fortunately, these crooks seem to have got bogged down early on
in their attack.

Presumably frustrated because they couldn’t get into as many

user’s email accounts as they wanted, they reset passwords on
various company-related accounts to extend their access.

That had the side-effect of locking users, including one of the

sysadmins, out of various company systems…

…and the sysadmin didn’t just remedy the immediate problem in

order to fix the what , but also triggered a response to find out the
why.

That reaction very quickly led to the crooks getting kicked out of
the network.
https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 7/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

As we said above, any tipoff is a good tipoff!

What to do?
The speed and determination of these crooks, speculatively logging
into email account after email account, is an excellent reminder of
why defence in depth is important.

All of these tips would have helped here:

Patch early, patch often. The vulnerable VPN mentioned in

this article probably wasn’t the way the crooks got access in
this case, but it was a possible inward path anyway. Why be
behind the crooks when you could be ahead instead?

Use 2FA wherever you can. A second factor of authentication

for both the external VPN and the internal RDP servers might
have been enough on its own to keep these crooks out.

Log out from accounts when you aren’t using them. Yes, it’s
a hassle to log back into accounts every time you need to use
them, but combined with 2FA it makes it much harder for
crooks to take advantage of you if they get access to your
browser.

Rethink which websites you allow to keep payment card

data online for next time. Companies that hold payment card
details only for specific purchases, such as paying a utility bill,
are a much lower risk than online services via which your card
can be used to pay for almost anything, especially for items
than are “delivered” immediately via email.

Don’t block malware alone with your threat protection

product. Block potentially unwanted applications (PUAs) and
hacking tools too. Cybercriminals are increasingly turning to
legitimate cybersecurity and network management software
that you already have on your system, instead of using malware

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 8/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

– a technique that’s called “living off the land” – in the hope of

looking like sysadmins themselves. Catch them out if you can.

Have somewhere for users to report security problems. If

you’re locked out of your own account unexpectedly, make sure
your reaction is not simply “I need to get back online” but also “I
need to find the underlying cause.” An easily remembered email
address or company phone number for cybersecurity reports
can help you make your whole company into eyes and ears for
the IT security team.

Keep your users alert to the latest trends in phishing.

Consider an anti-phish training product such as Sophos Phish
Threat. We can’t yet be sure, but it looks as though a single
phished password might have been how the crooks got started
in this attacks.

Don’t get sidetracked by specific threats such as

ransomware. Ransomware-specific tools are useful as part of
a defence in depth approach, but wouldn’t have stopped this
attack on their own. However, a holistic approach that would
have blocked these crooks would very likely have stopped the
majority of ransomware attacks, too.

Follow @NakedSecurity on Twitter for the latest computer

security news.

Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids

and LOLs!

Free tools

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 9/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

Sophos Home
Protect personal PCs and Macs

Hitman Pro
Find and remove malware

Intercept X for Mobile

Protect Android devices

Previous: Naked Security Live – B… Next: S3 Ep8: A conversation with…

4 comments on “Gift card hack exposed – yo…

Steve C# November 24, 2020 at 7:03 pm

I really like the suggestions at the end of the article.

  5  0  Rate This
Reply

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 10/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

Paul Ducklin November 24, 2020 at 11:45 pm

Thanks – glad you found them useful!

  4  0  Rate This
Reply

Tolby Nickell November 25, 2020 at 5:24 am

Another good one Paul – and Happy Thanksgiving to you &

yours.
  4  0  Rate This
Reply

Paul Ducklin November 25, 2020 at 10:37 am

Thanks, glad you enjoyed it!

  4  1  Rate This
Reply

What do you think?

Comment

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 11/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

Name

Email

Website

Post Comment

Recommended reads

APR

08 2
BY PAUL DUCKLIN

Italian charged
with hiring “dark
web hitman” to
murder his ex

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 12/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

APR

16 6
BY PAUL DUCKLIN

S3 Ep28.5:
Hacking back – is
attack an
acceptable form of

APR

26 3
BY PAUL DUCKLIN

Naked Security
Live – Just how
(un)safe is
AirDrop?

About Naked Security

About Sophos
Send us a tip
Cookies

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 13/14
5/7/2021 Gift card hack exposed – you pay, they play – Naked Security

Privacy
Legal

Intercept X
Intercept X for Server
Intercept X for Mobile

XG Firewall
Sophos Email
Sophos Wireless

Managed Threat Response

Cloud Optix
Phish Threat

© 1997 - 2021 Sophos Ltd. All rights reserved. Powered by WordPress VIP

https://nakedsecurity.sophos.com/2020/11/24/gift-card-hack-exposed-you-pay-they-play/ 14/14