Published on

Fraudulent Giftcards & Malicious Google Ad Campaigns

  • avatar
    n0 Sec

The Giftcard Schemes

Prepaid giftcard schemes are one of the most lucrative yet unknown schemes I've encountered while researching blackhat online communities. The plot of these schemes is to obtain giftcards, which will be sold to buyers for about 50% of the value of the card. This is done primarily through two ways: cracking and phishing. Phishing giftcards is perpetrated via Google Ads amongst social engine optimization techniques. The cracking of giftcards appears to be much more recent, likely starting in early 2020, and targets small, vulnerable sites to try to attempt millions of cards that conform to the ‘format’ of the giftcard number. Giftcards are cracked for prepaid giftcards that are for USD transactions, but also for various stores such as Starbucks are victims of giftcard cracking.

The phishing & cracking scene for these giftcards from my observations are very close, with all the key fraudsters in these communities working together and being in mutual Telegram chats. There is very little talk on blackhat forums about schemes to compromise giftcards, due to many forums banning the discussion of these giftcard schemes. Namely, has had their fair bit of problems with prepaid giftcard schemes and the site administrators have banned all giftcard scheme talk and sales from the site.

The "Beginning" of Prepaid Gift

The beginning of traceable prepaid giftcard schemes begins at VanillaGift. Fraudsters would create duplicate websites except log the inputted information and save it to a text file, then redirect the user to the correct domain. Victims would find the domain by googling the keyword ‘Vanillagift’, and the fraudster would have a Google Ads campaign that made their phishing domain show up as the top result in most cases. This is all fraudsters had to do for a while, they had to buy a domain, host the phishing site, and get Google Ads accounts then advertise via Google Ads. Google Ads at the time didn’t combat these malicious keywords, so there was little resistant except internal competition. It wasn't until about 6-12 months after these big initial waves of campaigns that Google began to combat the scheme. This was not the first time Google Ads had been abused, however this was a new scheme at the time and was largely effective.

The phishing of prepaid giftcards was initially simple, there was hardly any cloaking for the ads. The phishers merely clone the website they wanted to phish, host an ad, users would visit, enter their card information, press submit, just to be redirected to the actual website where the victim could check their giftcard legitimately. This was to avoid raising any potential suspicious to the consumer, the clients would think that the initial attempt to check didn’t work because of some obscure glitch. Regardless, even if the victim realized they were phished, there is nothing they can do about it except try to spend the balance as soon as possible. Cloaking is a way to hide a phishing domain's intent from Google Ad employees that review domains, and web-spiders meant that detect phishing website. The cloaking software detects the web-spiders and presents them a whitehat website, normally a WooCommerce shop that the phishers set up to fool people reviewing the domain (spiders or employees). A very common 'front', the cloaked version of the website, was Vanilla cakes, so that the Google Ad keywords match the site’s contents. Cloaking was nearly non-existent initially, however as Google began trying to put a stop to phishing, cloaking techniques would continue to evolve.

The second part of the process for the phishers was making a profit off the stolen giftcards. The phishers didn’t try to sell/use the cards themselves most of the time initially. Sales of the phished giftcards at this time were manual, phishers had designated card resellers, who would sell on forums, Discord servers, and Telegram communities. Nowadays, most phished and cracked prepaid giftcards are sold via automated bots on Telegram to prevent the need for resellers, which are practically unnecessary middlemen. These prepaid cards are typically referred to as 'stonk' or 'stock', and the bots that sell the cards are sometimes referred to as 'boats'. It is also worth noting that the methods in which the fraudsters host the Google Ads campaigns are frequently referred to as 'remos' amongst them, somewhat of an allusion to the SIM swapping scene.

It appears that the initial phishing sites worked for both computer and mobile phones. As mentioned, to prevent Google Ad crawlers from detecting the phishing site and reporting it, most of the current phishing pages are mobile-only. It is harder for Google to detect the phishing page as most web crawlers use a web-browser that is computer based. The initial phishers had a lot less to worry about opposed to the current phishers, considering cloaking was not needed, Google Ads didn’t interfere with the ads as quickly, and frequently phishers could negate the cost of hosting the ad making the process extremely simple.

The Original Malicious Google Ads For Prepaids

In the beginning, the ad campaigns were typically short-lived. While Google Ads has been being abused for years, far before prepaid gift phishing, the fraudsters phishing at the time weren't experts at running Google Ads yet, so the process was at times inefficient. VBAs and virtual credit cards (VCCs) are still used to do this day; however, they require funds in them – previously an ad campaign could live a week without any balance. Because the initial phishers either didn’t want to pay or didn’t know how to load a VBA/VCC – most phishers would just have the ad campaign last for a week then let it die due to payment issues. The cost of Google Ads is nothing compared to the profit from phishing, so eventually phishers would start legitimating paying for their ads to prevent their campaigns from dying. However, most campaigns would last a week at high budgets and more specifically high 'bids' (high cost-per-clicks, to incentivize Google to rank the ad high in search results), and then Google would try to collect the money from the phisher's bank, but the bank would be empty, resulting in Google suspending the ad account until the user’s balance is paid. It was important to have a high budget on the advertisement so that the advertisement would show up longer every day. Budget and bid are not only important for uptime, but also for showing up high in the search results for the phisher’s desired keywords. This means that every week, the phishers who didn’t pay their balance needed a new domain, new hosting, new VBA/VCC, and had to then re-upload their site files, all on top of waiting for Google's manual approval for advertisements. At this point, most people didn't know about Google Ads quality scores and the multivariate equation that goes on to determine ad placement. It likely would have been more effective for many phishers to just keep strong, continuous ad accounts live and pay the budget opposed to hosting many new accounts weekly.

TomVincent, a card reseller, and VBA seller, reselling phished giftcards on

Estimated to be in 2018, Google patched this bug where phishers could get a free week of ads at Google's expense. Around this time, more people began experimenting with prepaid phishing, making advertising more competitive. Phishers would now begin launching attacks on each other on small scales if they had clashing keywords, for instance two people both trying to phish the keyword, "vanilla gift balance", would typically have conflict. Phishers would try to sabotage each other's operations by reporting each other's ads to Google, the domain registrar, and hosting. On top of this, denial of service attacks would be launched on phisher’s competitor sites using online stressing services, amongst some ‘fraudclicking’. Fraudclicking is using a bot to automatically find and click a Google Ad result thousands of times, to deplete a competitor’s budget (to get their ad off Google for the day). These tactics are fairly effective and people offer services such as fraudclicking in exchange for hundreds of dollars daily, such as on the forum Fraudclicking is not exclusively for illegitimate business – fraudclicking takes place between whitehat ad campaigns as well.

This is a fraudclick service. It 'exhausts' the budget of the competitor, meaning that it clicks their ads so much that they can't advertise until tomorrow, as all ads are on a budget that cannot be exceeded. The goal of a modern, successful malicious Google Ads campaign is to get a high as possible budget, so that the ad has the maximum amount of uptime.

As more competitors entered the giftcard phishing community, more feuds began. Phishers would even somewhat take ‘business approaches’ like developing alliances with each other, promising not to fraudclick or DDoS each other’s advertisements, and sometimes team up to sabotage other people’s campaigns. Eventually, the market would begin to get saturated, resulting in Google Ads detecting fraudulent ads that didn’t thoroughly cloak their site. The initial cloaking sometimes worked, but now phishers needed more scopes to their cloakers. To some scopes include geolocation detection, anti-bot detection, and also IP analysis to determine whether a visiting IP is a "bad IP", such as out of the scope of the phishing operation (an Indian IP visiting an American giftcard site is normally not a legitimate request). There are entire cloaking services such as AntiBot made purely to detect attempts from Google to detect the ad as malicious. To be clear, the reason why services like these exist is to prevent search engine crawlers from detecting the malicious content on the phishing page, as search engine crawlers could index the page, realize it's a phishing attempt, and then suspend the Google Ads account associated with the domain. An aspect of many cloakers was that only mobile visitors could see the phishing page, to further prevent the crawlers from potentially seeing the ad. This is especially useful in circumstances of a Google Ads review, where the Google Ads employee reviews the ad, checking for malicious content. Most Google Ad employees are checking via their browser and not a mobile user-agent. Services on the market cloak sites easily for phishers now – however the implications of cloaking can reduce the amount of affected victims from phishing.

JustCloakit Cloaking Service. I believe it is also possible that these cloaking mechanisms can lower the amount of fraudclicks a phishing campaign may receive from competitors due to the anti-bot features in most cloakers.

In my research, I also found that it wasn't uncommon for people to make custom cloakers for their purposes. This is because the approach some cloaking services take are somewhat predictable by Google and can raise flags, thereby making the ad more suspicious and more likely for takedown.

Google Improves

The Google Ads system had improved their security in what I estimate to be 2019 or 2020. Google began heavily reviewing blackhat ads and their associated accounts, making it significantly harder to maintain a blackhat ad. Now, the fraudster had to pay for the ad amongst make their ad realistic enough to pass automatic and manual reviews from Google. To circumvent the new security implementations, fraudsters looked to obtain aged Google Ads, the term ‘aged’ indicates that the account has maintained previous campaigns with no flags rom Google, along with high-quality payment methods (which Russian accounts don't need), and generally consistent behavior on Google Ads. These phishers would begin scattering looking for aged Google Ads accounts, reaching out to forums such as BlackHatWorld. At this point there was two main approaches fraudsters were taking: buying an aged Google Ads account, or organically growing a whitehat campaign, which will be converted to a phishing campaign after increasing the ‘budget’ of the ad gradually (to look consistent in Google’s eyes). These ads would be much more difficult to maintain and would now require 'ad runners', people who obtain Google Ads accounts and maintain the advertisement for the phisher. This job has proven to be crucial to advertising and still is, as nearly all phishers rely on Google Ads exclusively for traffic. A common method to independently age an account is to use services like which will help manage campaigns and provide billing methods for accounts. However, as of now, it is worth noting due to ongoing conflict between Russia and Ukraine that is not currently effective as Russian Google Ads are being limited as a sanction by Google. is designed for Russian Google Ads, which can have a demographic of the United States, so the provider being Russian provides no direct limitations. Russian Google Ads accounts are normally less restricted, such as not requiring as strong of a payment method, which is one of the hardest parts of maintaining an ad campaign for some phishers.

Regardless, no longer being effective has not stopped the phishers. From my research, there is a plethora of ways in which ad accounts can be obtained. Some accounts are purchased from Genesis.Market, a shop for cookies and logins of infected users as explained in this KrebsOnSecurity article. People looking to sell ad accounts to phishers will buy ‘logs’ from Genesis with Google Adword/Google Ad logins saved and attempt to secure the Google Ads account from the owner. Once the buyer secures the Google Ads account, they will also try to seize the domain from the older. If the ad account and domain was inactive, then the phisher doesn’t have to worry about the owner of the Google Ads account contacting Google and having the ad halted. Regardless, once the ad account is stolen, the criminal will slowly transform the account into a blackhat account, they cannot instantly make the account blackhat as Google tends to detect those sharp changes. The fraudster may proceed by re-enabling the ad campaign and slowly changing the keywords for instance, and gradually increase the budget of the ad over time. There are also many techniques to host ads that are private amongst the phishing community that I am unaware of. Some include how to maximize 'quality score' of an ad, making a campaign look good in Google's eyes. Some people are so familiar with Google Ads that they sell Google Ads 'remos' (a joking term the fraudsters use for ‘methods’), giving advice on how to maintain and grow a blackhat ad. I do not have access to this, but in an interview with an ad runner I was informed that these methods decrease the odds of an ad being taken down by Google and help get an ad improved initially.

Niches & Sales

Since the creation of prepaid phishing the ad market was competitive. To distinguish themselves from competitors, phishers found new websites to target for phishing campaigns, more commonly referred to as ‘niches’. For instance, initially OneVanilla and VanillaGift were the popular organizations to target, however people moved on and began phishing MyPrepaidCenter giftcards in around 2020. Finding a new niche as a phisher has many advantages, it is easier to rank on Google Ads as the highest result, and there is less resistance from Google initially. Google may not realize that the site is a phishing operation until more false advertising campaigns have been made under similar search keywords. Another benefit to finding a new niche as a phisher is that once these fraudulent cards are phished and used fraudulently enough, card processing begin restricting the capability of the 'BIN'. The BIN is the identifying first 6 digits of a card that identify which company distributes the card. The companies that accept card, such as DoorDash, begin restricting the BIN due to a high rate of chargebacks, as the fraudsters use the card on DoorDash and the victim, the one who was phished, reports the card as hacked, resulting in the card distributor charging back the funds used by the fraudster. This makes many “cashout” mechanisms used by fraudsters frequently ineffective once a card’s BIN is heavily restricted.

A list of BINs with their associated card providers, made by phishers in a community.

Additionally, not all niches/BINs are equal. Some BINs are more useable due to features like 'tokenization' (being able to connect a card to Apple Pay/Google Pay), and not being heavily geo-restricted (restricted in area of use, some cards are only usable in the USA/Canada). High demand BINs tend to have high balance capability (100100-1,000+) and typically sell better because they are either easier to cashout with or they have more potential than other BINs. While many phishing card sales happen through autosale bots in the phishing community on Telegram, many phishers delegate all sales of certain BINs to people who consistently will buy to prevent losing a fee to a bot. Many phishers prefer the consistency of having a client they can always sell their phished cards to, opposed to waiting for the card to sell on the Telegram bot.

Sales are conducted through two ways of these cards, on Telegram automated sales bot such as "Lana's Stock Bot" and “Rain’s Prepaid Bot". Before this, there were other bots such as Olympian Stock Bot. Along with these initial card sales bots came cash out bots, which is what amplified the prepaid fraud scene significantly. An example of the interface of one of these bots can be found here.

Cashout Bots (Discoli, Chinese, and more.)

Cashout bots became popular in 2020 amongst the prepaid giftcard community. Users bought access to the cashout bots, inputted the cards, then the bot cashes out the balance of the card to payment processors such as Paypal or Stripe. A massive concern of buying phished giftcards was worrying that the transaction to cashout the balance will decline, or that the card's balance will be spent by the victim before the fraudster cashes out the balance himself. Mahk's cashout bot appeared to be the first bot on the market, and for the security at the time the bot was okay, but there was a lot more progress to be made. Mahk’s bot would automate PayPal transactions using inputted phished cards, however the cards would frequently decline as Paypal would detect that the transaction was fraudulent. Eventually, Mahk would leave the community and this bot would no longer be maintained. People who purchase phished cards at the time were always looking for new methods to convert a phished card's balance to Bitcoin, and Mahk’s only was able to spend the card’s balance on PayPal (which then fraudsters would have to make an entirely separate effort to convert the PayPal to Bitcoin). The main advantage of this was that the card’s balance was spent, so the victim couldn’t spend his funds, however, having PayPal balance is only useful if the fraudster knows how to convert PayPal balance to Bitcoin. Not only did the fraudster have to convert the balance on Paypal to Bitcoin, but the fraudster also had to do complete this exchange before the transaction chargebacked due to the victim filing a complaint that their card was used unauthorizedly. Many cashout methods at the time avoided PayPal, as PayPal's fraud detection was okay at the time and would frequently induce holds, and by the time the hold ended the victim had already chargebacked. PayPal however was viable if the fraudster was properly prepared with an aged PayPal and a good PayPal to Bitcoin system in place.

Lana StockBot in live action.

After Mahk’s bot, Discoli’s bot was developed, who is famous in the blackhat community for numerous reasons, such as being behind several OGUsers database leaks as discussed by Krebs here. Discoli’s bot was invite only and had an associated group, the "Disco Dogs", full of people cashing out cards using the Discoli bot. They even had a group on OGUsers, which was banned by head admin at the time of OGUsers Omie, amongst a ban of all discussion of phished prepaid giftcard sales onsite as OGUsers. Discoli’s bot was a massive hit amongst the fraudsters and included exploits in PayPal to bypass security mechanisms, resulting in a high 'success rate', meaning cards rarely declined, making the cashout experience easy for the fraudster. This made the prepaid scene very efficient and attracted lots of attention, introducing new fraudsters to the community due to the easy money to be made. Competing bots arose, namely Chinese's Cashout Slave, which was short-lived and ended in a stunt where the owner pretended that he was arrested so he could close the bot without the users being mad they lost their $150 deposit to use the bot. This bot was notably said to be lower quality and lacked any exploits but was still a step up from Mahk's bot. Chinese’s bot was used by mainly people who weren't yet invited to Discoli's cashout bot. Some of the restrictions of PayPal were still nuisances to fraudsters, such as the holds, but fraudsters learned many tactics to work around these holds. Chinese and Discoli would proceed to have a complex relationship initially, but they would eventually work together to sabotage OGUsers as a joint effort.

Waded, a Banana Family group member in the fraud community. Banana Family includes phishing ad owners, runners, and more.

Discoli bot rose resulted in other new fraudulent wants and needs to assist in the cashout process of phished giftcards. While the bot was very powerful, it required a PayPal account that could handle thousands of dollars of transactions without raising flags at PayPal, which means the receiving account must be aged, which isn't common. If the account were to be detected as suspicious from PayPal, PayPal would enforce account limitations which would slow down or eliminate the ability to cashout balance from a given account. Some forms of limitation include tasks such as submitting identification cards that match the account’s information provided at registration, however some limitations were not able to be lifted and would result in all the funds in the account’s balance to be held by PayPal for 180 days. In these 180 days, most of the giftcard would charge back, depleting the account’s balance regardless. The solution, aged PayPals required the fraudsters had time, effort, and persistence in maintain their account and keeping it separated from any other of their PayPal accounts (as it is against PayPal terms of service to operate multiple accounts). The cashout bots used PayPal features like invoicing, friends and family payments, along with donation pools to facilitate payments to PayPal accounts. The fraudster would then have to hope that their aged PayPal still didn’t get flagged for suspicious activity, and the task that ensued was cashing out the balance to Bitcoin using currency exchangers on forums or websites designed for PayPal to Bitcoin exchanges (which are extremely rare to come by due to related fraud). Some fraudsters offered loading services using the cashout bots, meaning that people could give $x amount of Bitcoin to a person offering loads and get significantly more PayPal funds back, sometimes nearly double. The cashout bot and loading services would continue for a while, there was no shortage of methods to cashout prepaid giftcards, however this would soon end. After a while, sources say Discoli was raided by police, resulting in him closing the bot, moving countries, and keeping a low profile mostly. His service would later be replaced with bots like Trident & Lana's "Olympian Cashout Bot", which cashed out cards to fraudster’s Stripe accounts, paired with their "Olympian Stock Bot", where prepaid giftcards were bought and sold. This wasn't as popular as the Stripe account used by the fraudster had to be aged, which was said to be harder to age than a PayPal account and less commonly sold by vendors. The manual cash out market remained, using any possible site that wouldn't block purchases under the phished BIN. The most recent bot to be in the community was particularly strong, it used gambling site

Hypedrop to deposit funds from the phished card and the site allowed for Bitcoin withdrawals, without PayPal as a middleman. This was idealistic for fraudsters but was quickly patched after about one to two weeks of being sold as a bot amongst the Lana Chat marketplaces. Methods like these are rare, the most common method I found in my investigation was using Point of Sales machines to cash out the cards, which will give the fraudster balance to a bank account, which can be easily converted to Bitcoin using exchanges such as Coinbase, Binance, or Kraken.

Chinese "Slave" Cashout bot being used.
Disco "Slave" Cashout bot being used.
Olympian Cashout Bot

These are some sample screenshots of the popular cashout tools among the years. While the balances may seem low in these screenshots, old evidence indicates that millions of dollars were processed through bots like these and laundered through PayPal to be converted to Bitcoin by fraudsters.

Giftcard Cracking

Many phishers, on top of phishing via Google Ads, also actively partake in cracking prepaid giftcards. The most cracked giftcard niches are MyPrepaidCenter & Universal Giftcard Australia – however there are far more that I am certainly unaware of. Most of the cracked giftcard niches are companies based in the USA, CA, and AU. These cracking operations typically involve finding the BIN of the card issuer, generating all the possible permutations of the card that conform to Luhn's Algorithmn, and then testing if the card is an active, existing card on the website. Many websites prevent this by preventing unreasonable amounts of requests from 1 IP and requiring a captcha, but hackers implement rotating residential proxies to cloak their IP address as a typical residential visitor and implement captcha bypasses sold on the blackhat market. For instance, a prominent member of the previously active 'Wylin' group in the prepaid community had a FunCaptcha exploit that allowed people to crack cards without the delay of waiting on a captcha to be solved. Exploits like these were used to crack hundreds of thousands of cards, and this technique can work on nearly any site. However, some sites are easier to crack giftcards on than others – as on some sites the fraudster must correctly guess the CVV and Primary Account Number (PAN) correctly in the same attempt, and there are up to 999 possible CVVs for any given PAN.

To my understanding, an Australian giftcard website was the first to be cracked, which had no captchas and only required rotating residential proxies to hide the fraudster’s intents to crack giftcards. This website was especially vulnerable because once a valid card was entered into their system to have the balance checked, all the fraudsters had to do was crack the expiration date. To my understanding, the CVV was given to the user if the expiration date was correctly guessed. Most giftcards expire within 5-10 years, meaning there is typically only 50-100 combinations for expiration dates per PAN, making cracking not too hard. The website would also mark incorrect PAN combinations as non-existent, so only valid card numbers would have the expiration date guessed. After fraudsters saw how profitable this cracking scheme was, other websites were cracked using the FunCaptcha exploit, but many of these niches remain unknown because this is still a very new and active fraud market, so fraudsters avoid sharing private information that could result in their niche being too popular where it results in the victim company improving their security.

I am sadly only able to scratch the surface on the new cracking schemes as not even interviews with the most connected people in the community and research can answer some of my more technical questions about cracking due to how new it is. The fraudsters want to protect their new scheme to prevent it from being patched before they make ‘enough money’. It is integral that giftcard websites take proper precautions to protect user's information and properly secure their site against the bruteforcing of card numbers and related cracking attempts.

New, High Balance Cards

In the past, the highest gift card balance was $500 – as most giftcard companies limited their giftcards to $500. However, recently, fraudsters found websites such as MyPrepaidCenter, a subsidiary of Blackhawk Networks, a tyrant in the giftcard market. MyPrepaidCenter is intensively lucrative to fraudsters because they have cards ranging to the tens of thousands of dollars that can be cracked and phished. Phishers and crackers even look to MyPrepaidCenter to target specific giftcards, as MyPrepaidCenter offers giftcard solutions for companies and even governments. For instance, on the MyPrepaidCenter, victims can check their employee reward giftcard balance, so fraudsters have begun targeting those giftcard niches by creating phishing clones of MyPrepaidCenter and associating the Google search keywords of the specific employee reward niches. A recent example of this was a wave of phishers who targeted an area’s unemployment program, who distributed funds via MyPrepaidCenter giftcards. When the employees went to check and then use the balance of the giftcard, some would fall for a phishing result identical to MyPrepaidCenter or have their giftcards already spent due to someone cracking giftcards having found the details to their giftcard. MyPrepaidCenter essentially is unique because it has ‘subniches’, there are unique giftcard programs with different BINs for MyPrepaidcenter.

Various Giftcard Phishing

Giftcard niches targeted by fraudsters aren’t limited to balances that can be immediately exchanged for cash. Some fraudsters are currently experimenting with phishing Walmart Giftcards & Target Giftcards – which they can sell on online platforms or sell to buyers who will spend the balance of the giftcard. While there are far more limitations to these giftcards opposed to prepaid giftcards – they are less restricted and easier to crack. This too is somewhat of a relatively undeveloped scene, but in my research, I have found ads that successfully used keywords related to Walmart Giftcards to phish users. These ads connected back to some of the same people perpetrating the similar prepaid giftcard schemes mentioned in this article.

Fraud Amongst the fraudsters

Giftcard holders aren’t the only victims of the scamming antics of phishers. There are 'balance checkers' in the community, used to quickly check the balance of a phished giftcard. The user submits the cards to be checked to the bot, get back the correct balance, however the owner of the bot will have access to the giftcard and frequently try to resell the giftcard or cash it out themselves. Most established phishers have their own unique bot, however some less established phishers or purchasers of giftcards will use the bot and unknowingly have a chance of losing their giftcard. Another method of 'fraud amongst the fraudsters', is when buyers purchase a phished giftcard demanding that the sale is a PoS deal (pay on success). The buyer will receive the giftcard from the phisher, promising the seller that they will pay if the card works, however regardless if the card works or not the buyer doesn’t pay the seller.

Amongst this, there is lots of threats within the communities and frequent DOXXing. From my observation PVAZone, an aged Google Ads account merchant turned phisher is the most infamous and hated member of the community – resulting in numerous attempts of personal attacks via swatting and DOXXing to him. Aside from him, the aforementioned ‘Chinese’ is a frequent target of harassment with his pictures and DOX being frequently posted in an attempt to bully him. It is a very competitive market and if a phisher has competitors, it could result in real-world danger.


I believe that prepaid giftcard fraud is one of the most prominent yet uncovered forms of fraud. Prepaid giftcard fraud is perpetrated via services like Google Ads and can be solved with better security on Google's side, but until then this will likely continue to be a problem. Forms of obtaining giftcards maliciously have been multiplying despite Google’s efforts to stop the giftcard phishing – involving tactics such as cracking.