Understanding Gift Card Fraud

Saad Bencrimo    19 July, 2021
Card Gift Fraud

Following an internal investigation, carried out by Digital Risk Protection’s team of analysts at Telefónica Tech, where a fraudulent URL impersonating a retail company led to the discovery of a much more complex scheme and what at first appeared to be an isolated fraudulent website, turned out to be one of thousands of fraudulent websites targeting different retail companies using the same structure.

From a screenshot submitted by a user who had noticed that a URL he was accessing was possibly a fraudulent website, we were able to track down a fairly complex fraud scheme, which attempted to obtain users’ details in exchange for a supposed €500 gift card. In the image submitted by this user, which was actually a screenshot from his mobile device, although the content of the website could be seen, only part of the URL was visible.

Figure 1. Screenshot submitted by the user

Based on our experience in dealing with this type of fraud, we knew that, without the full URL to access the page in question, it was very difficult to locate it. In the image provided, only the domain of the URL could be seen, which initially was insufficient information to be able to access the fraud.

One of the options proposed was to enter the domain in the web search engine, but instead of in the normal search engine, which did not give any viable results for locating the fraudulent website, enter the domain in the image search engine in case that way we could obtain any data that might be useful. This option turned out to be the key to revealing that the website was nothing more than just a drop in the ocean.

One of the images associated with the search entered returned the icon of a gift box with the logo of the company that was being impersonated. Upon opening the associated link, we were directed to a page on the social network Pinterest, where a user had been sharing images associated with these scams. While most of the links associated with these images located on this Pinterest page were no longer available, one of them referred us to the scam we were looking for. Furthermore, thanks to this Pinterest page we also discovered that this fraud in question was not only directed against our initial company, but against several companies belonging to the retail sector and that it did not only affect Spain, but it was a fraud at an international level.

Figure 2. Pinterest page with images of the frauds

Once we had located the full URL, in addition to asking our response team to intervene in order to take down this scam, we used a popular online tool that analyses any URL and is also capable of displaying detailed information on all the resources it requests, to see if we could locate more similar scams. Thanks to this search, we found a number of URLs that used the same scheme, impersonating several of the retail companies we had located.

At this point, and already having several different URLs to compare, we realised that a crucial fact for the investigation was that for all the URLs located for the same company, the same numerical identifier was being used. In a simple way and to make it easier to understand, we were then able to replicate the fraud from a URL or domain that we knew had this scam associated with it, for each of the other companies whose unique identifier we had located in the following way:


However, despite all that we had discovered, we knew that this fraud had to be much bigger. So, once it was clear to us that the structure used in these URLs was the same, we searched and compared the IP addresses where the scams were hosted, to see if they were hosted on the same IP address. This ended up being quite successful, because as we guessed, all of these pages were hosted on the IP address 34.XX.XX.54. We were able to find more than 1500 domains hosted on the same IP address by searching to try to find out which domains were hosted on that IP address.

Figure 3. List of domains hosted on IP address 34.XX.XX.54

Finally, and based on the information of interest available to us: the list of domains hosted at IP address 34.XX.XX.54 and the unique identifiers found for the different companies affected, we developed a script that formed the URLs for all the domains found, adding the corresponding identifier and checking whether these URLs resolved. In this way, we were able to locate up to 95 active fraudulent URLs for our initial company. Checking whether the pages resolved or not was introduced simply because many of these frauds were no longer available, not to mention that our response team had already taken action against some of them.

Currently, although many of these frauds are no longer active, many are still in operation and the service is looking for solutions to try to act as a block against all frauds. In short, when surfing the Internet, we must be very careful with this type of fraudulent websites that try to obtain information of interest and, in many cases, sensitive information from inattentive users.

Leave a Reply

Your email address will not be published.