Security firm Distil Networks said it has uncovered a new kind of malicious bot that has attacked almost 1,000 websites attempting to steal the gift card balances of consumers paying with gift cards on retail sites.
Distil said GiftGhostBots, what the company described as Advanced Persistent Bots (APB), can use a rolling list of number combinations to test on average about 1.7 million gift card account numbers per hour in attempts to gain access to those cards and request balance information. If successful in obtaining the balance, fraudsters can resell the account number on the dark web or use them to purchase goods, the company said.
Distil said it first noticed increased bot activity on websites with gift card processing capabilities on Feb. 26. On one customer website, Distil’s analyst team recorded 4 million bad bot requests per hour — nearly 10 times their normal level of traffic.
Retailers have been talking a lot of about bots in the last year or so, but usually the good kind — the chatbots they are employing in the name of improving customer engagement. The GiftGhostBot is not a good bot, and certainly not one you would want to start a chat with. Bad bots like GiftGhostBot are Distil's business, as it recently put out its 2017 Bad Bot Report, surveying the state of the growing trend toward bot-driven security attacks and finding that about 20% of all internet traffic last year was made up of bad bots attacking websites.
The rise of e-commerce fraud is one of the biggest stories of the last year or so in the retail sector, and it's going to be an even bigger one by the end of this year. We have been learning in recent months that e-commerce fraud is on the rise, and the gift card-focused threat is just one of many threats and different types of attacks we have seen.
The GiftGhostBot attacks are a bit different than most attacks we hear about in that these bots are specifically trying to access gift card balances, and not threatening any private customer data that retailers have locked away on their sites. Still, as Distil noted, any website could become a victim, and nearly 1,000 have been attacked already. Retailers shouldn't less urgent to attend to this threat than they would be for other potential attacks.
Most retailers may still be learning about the true nature and size of bot attacks, and most consumers, too, may only be starting to become full aware of how often and how relentlessly web sites are being attacked. One report from a month ago said that only 19% of consumers felt the need to cut back on online spending in the wake of security attacks. That could change quickly if customers start feel the threat is getting too close, making it important for retailers to invest in multi-layered security strategies to protect their sites.
Fortunately, the sector and the companies looking to offer retailers security solutions appear to be catching on. Speaking of bot attacks specifically, Akamai, a company that counts many e-commerce sites among its customers, recently upped its bot mitigation game by acquiring Cyberfend. As a retailer, if you are not already talking to someone about how to protect your site from the likes of GiftGhostBot, it's time to put that item on the top of your to-do list.