IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Hackers sell $38 million in gift cards on Russian marketplace

Amazon, Nike, Walmart, and Target among the brands targeted by Russian hacking dark web forum

Hackers have sold more than $38 million in gift cards from US retailers on an underground Russian hacking marketplace.

According to Gemini Advisory’s investigation, hackers were observed offering to sell 895,000 stolen gift cards from 3,010 companies in early February. 

The hackers claimed they had a database of over 3,000 brand-name gift cards. Affected companies included Airbnb, Amazon, American Airlines, Chipotle, Dunkin Donuts, Marriott, Nike, Subway, Target, and Walmart. The database may have originated from an older breach at online discount gift card shop Cardpool.com.

Before closing in early 2021, Cardpool.com operated as a gift card marketplace where individuals could sell unwanted gift cards to the shop. Cardpool.com would then resell those cards to others for less than their face value. 

The hackers started the auction at $10,000 with a $20,000 buy-now price. According to security researchers, the gift cards were bought by another actor soon after they were posted for sale.

Related Resource

The business guide to ransomware

Everything you need to know to keep your company afloat

The business guide to ransomware - whitepaper from DattoFree download

The original hacker listed data from another 330,000 payment cards on the same forum the next day. This data included payment card number, expiration date, and bank name but not the CVV or cardholder name. Bidding for these details started at $5,000, but there was a $15,000 buy-now price. The payment cards sold within days of the hacker listing them for sale, but not as quickly as the gift cards.

Gemini Advisory’s analysis concluded that the 330,000 payment cards likely came from a Cardpool.com breach between February 4, 2019 and August 4, 2019. 

Researchers said the lack of CVV data indicates that the actor likely acquired the cards by gaining backend access to Cardpool.com, which would have enabled them to steal the gift card data and previous shoppers’ payment card data directly from the site’s databases.

“Attackers can acquire backend access to online shops through a variety of methods, including exploiting vulnerabilities in sites’ content management systems (CMS) and brute-forcing admin login credentials,” said researchers.

According to the researchers, the Cardpool.com case “offers a valuable glimpse into the ecosystem of carding.”

“The trick is not in acquiring stolen cards but in devising the most efficient way to cash out the funds on the cards before financial institutions can flag them as compromised,” they said.

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Ten ways to protect your company from the next big data breach
data breaches

Ten ways to protect your company from the next big data breach

18 Feb 2022
Gumtree site code made personal data of users and sellers publicly accessible
data protection

Gumtree site code made personal data of users and sellers publicly accessible

16 Dec 2021
US government warns of increased risk of ransomware over holiday season
ransomware

US government warns of increased risk of ransomware over holiday season

24 Nov 2021
Pizza chain exposed 100,000 employees' Social Security numbers
data breaches

Pizza chain exposed 100,000 employees' Social Security numbers

19 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022
Salaries for the least popular programming languages surge as much as 44%
Development

Salaries for the least popular programming languages surge as much as 44%

23 Jun 2022