back to article GiftGhostBot scares up victims' gift-card cash with brute-force attacks

Cybercrooks are using a bot to automate the process of breaking into and draining online gift card accounts. The software nasty, named GiftGhostBot, attempts to steal cash from money-loaded gift cards provided by a variety of retailers around the globe, according to Distil Networks. Any website – from luxury retailers to …

  1. Vector

    Boy that's gonna really suck for all them ransomware kiddies demanding gift cards for the unlock code.

  2. MNGrrrl

    Validation on a magic number alone was stupid even in Roman times. At least they rolled up parchment on a stick to cipher things. And yet here we are.

    The companies should be held liable for this kind of criminal stupidity. Even sophisticated encryption still usually has a second form of authentication besides the keys. And we only use stupidly large prime numbers because they are so hard to find. That is the only reason it works. Ccard numbers are largely sequential and very limited in the number of valid possibilities.

    I'm disappointed the criminal element took this long. Step up your game people, you're slipping.

  3. Anonymous Coward

    More technical details can be found in a blog post

    "More technical details on the GiftGhostBot cybercrime tool can be found in a blog post by Distil Networks here". ®

    I don't see any such technical details. Is GiftGhostBot running on hijacked desktops and if so how did it get there?

  4. Anonymous Coward
    Anonymous Coward

    Beer Tokens

    The safest form of gift voucher.

  5. juice Silver badge

    And there isn't a rate-limiter or captcha mechanism built into these websites because...?

    Admittedly, rate-limiting gets a bit trickier if you're dealing with requests coming in from a botnet, but slapping up a captcha would seriously hamper this kind of trawling.

  6. Anonymous Coward
    Anonymous Coward

    Presumably the submission/validation pages live behind a login wall

    I know that wouldn't stop the process but relatively easy to identify the validation of 1.6M codes within one hour across a handful of users and/or control it at the session level via rate limiting. Smash and grab though as they'll take what they have up until the point the application blocks them off.

    If not behind a login wall, why not?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019