Bad Actors Hack Into Thousands of Inboxes to Misappropriate Gift Cards

Independent security researcher and journalist Brian Krebs recently published an intriguing report and an examination into the activities of a criminal gang who are breaching email inboxes to fish for gift cards.

The information was provided to Krebs by what he describes as a "trusted source" who remains anonymous but is also said to have "visibility" into a network that is actively exploited by hackers to mask their tracks and keep their malicious web traffic anonymous.

Hackers Resort to Proven Brute Force Attacks

The hackers are using plain and simple brute force, attempting to breach millions of email accounts each day. According to the source cited by Krebs, this has been going on for the past three years.

Due to the fact that the criminals are using brute force and not verified stolen credentials, the success rates they enjoy are low as a percentile value, but still amount to many successfully breached inboxes. Given that the estimate is that they run between five and ten million login attempts each day, a success rate of 0.1 percent would still amount to tens of thousands of successfully hacked emails each day.

Curiously, the hackers don't do anything too drastic with the access they have. Krebs calls this the "low and slow" approach - no attempts to phish out contacts, no spam, simply a script that scans inboxes for re-sellable digital gift cards.

Robbery Without Exposure

This approach allows the hackers to steal relatively small sums of money from individual entities over a prolonged period of time and tends to not focus the security spotlight on their activity as much as something like a major ransomware job does. The stolen cards are later resold on various online markets and become essentially impossible to trace.

The emergence of more and more platforms and systems that offer this sort of gift card or loyalty card service gives threat groups like the one described by Krebs more fertile ground to work with.

Additionally, it shows that sometimes criminals trying to keep a low profile can continue their malicious work for years on end without running into any major trouble with law enforcement, simply because they are not trying to scoop too much as once.

The brute-force approach is also very easy and allows similar "low and slow" bad actors to keep stealing money from individuals without significant risk or putting in too much effort.