Gift card fraud and credential stuffing, a technique in which criminals use stolen account credentials to gain access to legitimate user accounts, ran rampant during the fourth quarter of 2020, according to research by Arkose Labs, a San Francisco-based provider of fraud-prevention technology.
Criminals launched 3.6 million attacks on gift card accounts during the fourth quarter, 2.4 times more than the number of attacks during the third quarter. One popular scam involves criminals using applications that scan compromised email addresses for links to and credentials for recently purchased gift cards. Once in possession of the gift card credentials, criminals can activate the card and either spend the money for items that can be sold for cash or resell the credentials on the black market.
“There were between ten and twenty thousand attacks a day that were scanning emails for gift card credentials,” says Kevin Gosschalk, chief executive at Arkose Labs. “Consumers purchase a lot of gift cards around Black Friday and throughout the fourth quarter, which makes them an attractive target for criminals.”
Other gift card scams include testing combinations of random account numbers and PINs on the sites of merchants that offer gift cards to breach an active account or to check the balance on active accounts. “Once the criminal gets into the account to check the balance, he has the credentials to empty the account,” says Gosschalk. “Criminals will also purchase gift cards as a way to launder money stolen from an account. The cards are then resold for cash. Gift card fraud is very lucrative for criminals.”
Credential-stuffing attacks, which power account takeovers, increased significantly during the fourth quarter, largely due to a spike in new consumer accounts. More than 1.5 billion credential-stuffing attacks took place during the fourth quarter, more than double the third quarter and up about 90% from the first quarter. Once a criminal finds legitimate account credentials, he can then use that information to carry out numerous types of downstream fraud.
“Credential stuffing is the gift that keeps on giving for criminals, because once account credentials are out, they get used over and over, no matter how old they are,” Gosschalk says. “It’s ridiculously easy for criminals to make money from credential stuffing because a lot of consumers don’t use unique passwords or make use of other available fraud-prevention tools, such as multi-factor authentication.”
Europe saw the highest number of fraud attacks, with 37% of attacks taking place there. Asia-Pacific was the second most targeted region with 31% of attacks taking place there, followed by North America (20%), South America (8%), and Africa (4%).
Looking ahead, Gosschalk expects high levels of credential stuffing to continue, as well as a continued emphasis on e-commerce fraud as criminals look to exploit promotional offers from merchants meant to attract new customers, such as access to a free online game for opening a user account.
“Once the promotion is available to the new account, the account has value, which makes the account something the criminal can resell,” says Gosschalk. “Promotional offers are a great way for merchants to attract a lot of new, good customers, but they also attract a lot of fraudulent friends.”