Published on

Authors
• Name
n0 Sec

The phishing & cracking scene for these giftcards from my observations are very close, with all the key fraudsters in these communities working together and being in mutual Telegram chats. There is very little talk on blackhat forums about schemes to compromise giftcards, due to many forums banning the discussion of these giftcard schemes. Namely, OGUsers.com has had their fair bit of problems with prepaid giftcard schemes and the site administrators have banned all giftcard scheme talk and sales from the site.

## The "Beginning" of Prepaid Gift

The phishing of prepaid giftcards was initially simple, there was hardly any cloaking for the ads. The phishers merely clone the website they wanted to phish, host an ad, users would visit, enter their card information, press submit, just to be redirected to the actual website where the victim could check their giftcard legitimately. This was to avoid raising any potential suspicious to the consumer, the clients would think that the initial attempt to check didn’t work because of some obscure glitch. Regardless, even if the victim realized they were phished, there is nothing they can do about it except try to spend the balance as soon as possible. Cloaking is a way to hide a phishing domain's intent from Google Ad employees that review domains, and web-spiders meant that detect phishing website. The cloaking software detects the web-spiders and presents them a whitehat website, normally a WooCommerce shop that the phishers set up to fool people reviewing the domain (spiders or employees). A very common 'front', the cloaked version of the website, was Vanilla cakes, so that the Google Ad keywords match the site’s contents. Cloaking was nearly non-existent initially, however as Google began trying to put a stop to phishing, cloaking techniques would continue to evolve.

The second part of the process for the phishers was making a profit off the stolen giftcards. The phishers didn’t try to sell/use the cards themselves most of the time initially. Sales of the phished giftcards at this time were manual, phishers had designated card resellers, who would sell on forums, Discord servers, and Telegram communities. Nowadays, most phished and cracked prepaid giftcards are sold via automated bots on Telegram to prevent the need for resellers, which are practically unnecessary middlemen. These prepaid cards are typically referred to as 'stonk' or 'stock', and the bots that sell the cards are sometimes referred to as 'boats'. It is also worth noting that the methods in which the fraudsters host the Google Ads campaigns are frequently referred to as 'remos' amongst them, somewhat of an allusion to the SIM swapping scene.

It appears that the initial phishing sites worked for both computer and mobile phones. As mentioned, to prevent Google Ad crawlers from detecting the phishing site and reporting it, most of the current phishing pages are mobile-only. It is harder for Google to detect the phishing page as most web crawlers use a web-browser that is computer based. The initial phishers had a lot less to worry about opposed to the current phishers, considering cloaking was not needed, Google Ads didn’t interfere with the ads as quickly, and frequently phishers could negate the cost of hosting the ad making the process extremely simple.

In my research, I also found that it wasn't uncommon for people to make custom cloakers for their purposes. This is because the approach some cloaking services take are somewhat predictable by Google and can raise flags, thereby making the ad more suspicious and more likely for takedown.

## Niches & Sales

Since the creation of prepaid phishing the ad market was competitive. To distinguish themselves from competitors, phishers found new websites to target for phishing campaigns, more commonly referred to as ‘niches’. For instance, initially OneVanilla and VanillaGift were the popular organizations to target, however people moved on and began phishing MyPrepaidCenter giftcards in around 2020. Finding a new niche as a phisher has many advantages, it is easier to rank on Google Ads as the highest result, and there is less resistance from Google initially. Google may not realize that the site is a phishing operation until more false advertising campaigns have been made under similar search keywords. Another benefit to finding a new niche as a phisher is that once these fraudulent cards are phished and used fraudulently enough, card processing begin restricting the capability of the 'BIN'. The BIN is the identifying first 6 digits of a card that identify which company distributes the card. The companies that accept card, such as DoorDash, begin restricting the BIN due to a high rate of chargebacks, as the fraudsters use the card on DoorDash and the victim, the one who was phished, reports the card as hacked, resulting in the card distributor charging back the funds used by the fraudster. This makes many “cashout” mechanisms used by fraudsters frequently ineffective once a card’s BIN is heavily restricted.

Additionally, not all niches/BINs are equal. Some BINs are more useable due to features like 'tokenization' (being able to connect a card to Apple Pay/Google Pay), and not being heavily geo-restricted (restricted in area of use, some cards are only usable in the USA/Canada). High demand BINs tend to have high balance capability ($100-$1,000+) and typically sell better because they are either easier to cashout with or they have more potential than other BINs. While many phishing card sales happen through autosale bots in the phishing community on Telegram, many phishers delegate all sales of certain BINs to people who consistently will buy to prevent losing a fee to a bot. Many phishers prefer the consistency of having a client they can always sell their phished cards to, opposed to waiting for the card to sell on the Telegram bot.

Sales are conducted through two ways of these cards, on Telegram automated sales bot such as "Lana's Stock Bot" and “Rain’s Prepaid Bot". Before this, there were other bots such as Olympian Stock Bot. Along with these initial card sales bots came cash out bots, which is what amplified the prepaid fraud scene significantly. An example of the interface of one of these bots can be found here.

## Cashout Bots (Discoli, Chinese, and more.)

Cashout bots became popular in 2020 amongst the prepaid giftcard community. Users bought access to the cashout bots, inputted the cards, then the bot cashes out the balance of the card to payment processors such as Paypal or Stripe. A massive concern of buying phished giftcards was worrying that the transaction to cashout the balance will decline, or that the card's balance will be spent by the victim before the fraudster cashes out the balance himself. Mahk's cashout bot appeared to be the first bot on the market, and for the security at the time the bot was okay, but there was a lot more progress to be made. Mahk’s bot would automate PayPal transactions using inputted phished cards, however the cards would frequently decline as Paypal would detect that the transaction was fraudulent. Eventually, Mahk would leave the community and this bot would no longer be maintained. People who purchase phished cards at the time were always looking for new methods to convert a phished card's balance to Bitcoin, and Mahk’s only was able to spend the card’s balance on PayPal (which then fraudsters would have to make an entirely separate effort to convert the PayPal to Bitcoin). The main advantage of this was that the card’s balance was spent, so the victim couldn’t spend his funds, however, having PayPal balance is only useful if the fraudster knows how to convert PayPal balance to Bitcoin. Not only did the fraudster have to convert the balance on Paypal to Bitcoin, but the fraudster also had to do complete this exchange before the transaction chargebacked due to the victim filing a complaint that their card was used unauthorizedly. Many cashout methods at the time avoided PayPal, as PayPal's fraud detection was okay at the time and would frequently induce holds, and by the time the hold ended the victim had already chargebacked. PayPal however was viable if the fraudster was properly prepared with an aged PayPal and a good PayPal to Bitcoin system in place.

After Mahk’s bot, Discoli’s bot was developed, who is famous in the blackhat community for numerous reasons, such as being behind several OGUsers database leaks as discussed by Krebs here. Discoli’s bot was invite only and had an associated group, the "Disco Dogs", full of people cashing out cards using the Discoli bot. They even had a group on OGUsers, which was banned by head admin at the time of OGUsers Omie, amongst a ban of all discussion of phished prepaid giftcard sales onsite as OGUsers. Discoli’s bot was a massive hit amongst the fraudsters and included exploits in PayPal to bypass security mechanisms, resulting in a high 'success rate', meaning cards rarely declined, making the cashout experience easy for the fraudster. This made the prepaid scene very efficient and attracted lots of attention, introducing new fraudsters to the community due to the easy money to be made. Competing bots arose, namely Chinese's Cashout Slave, which was short-lived and ended in a stunt where the owner pretended that he was arrested so he could close the bot without the users being mad they lost their $150 deposit to use the bot. This bot was notably said to be lower quality and lacked any exploits but was still a step up from Mahk's bot. Chinese’s bot was used by mainly people who weren't yet invited to Discoli's cashout bot. Some of the restrictions of PayPal were still nuisances to fraudsters, such as the holds, but fraudsters learned many tactics to work around these holds. Chinese and Discoli would proceed to have a complex relationship initially, but they would eventually work together to sabotage OGUsers as a joint effort. Discoli bot rose resulted in other new fraudulent wants and needs to assist in the cashout process of phished giftcards. While the bot was very powerful, it required a PayPal account that could handle thousands of dollars of transactions without raising flags at PayPal, which means the receiving account must be aged, which isn't common. If the account were to be detected as suspicious from PayPal, PayPal would enforce account limitations which would slow down or eliminate the ability to cashout balance from a given account. Some forms of limitation include tasks such as submitting identification cards that match the account’s information provided at registration, however some limitations were not able to be lifted and would result in all the funds in the account’s balance to be held by PayPal for 180 days. In these 180 days, most of the giftcard would charge back, depleting the account’s balance regardless. The solution, aged PayPals required the fraudsters had time, effort, and persistence in maintain their account and keeping it separated from any other of their PayPal accounts (as it is against PayPal terms of service to operate multiple accounts). The cashout bots used PayPal features like invoicing, friends and family payments, along with donation pools to facilitate payments to PayPal accounts. The fraudster would then have to hope that their aged PayPal still didn’t get flagged for suspicious activity, and the task that ensued was cashing out the balance to Bitcoin using currency exchangers on forums or websites designed for PayPal to Bitcoin exchanges (which are extremely rare to come by due to related fraud). Some fraudsters offered loading services using the cashout bots, meaning that people could give$x amount of Bitcoin to a person offering loads and get significantly more PayPal funds back, sometimes nearly double. The cashout bot and loading services would continue for a while, there was no shortage of methods to cashout prepaid giftcards, however this would soon end. After a while, sources say Discoli was raided by police, resulting in him closing the bot, moving countries, and keeping a low profile mostly. His service would later be replaced with bots like Trident & Lana's "Olympian Cashout Bot", which cashed out cards to fraudster’s Stripe accounts, paired with their "Olympian Stock Bot", where prepaid giftcards were bought and sold. This wasn't as popular as the Stripe account used by the fraudster had to be aged, which was said to be harder to age than a PayPal account and less commonly sold by vendors. The manual cash out market remained, using any possible site that wouldn't block purchases under the phished BIN. The most recent bot to be in the community was particularly strong, it used gambling site

Hypedrop to deposit funds from the phished card and the site allowed for Bitcoin withdrawals, without PayPal as a middleman. This was idealistic for fraudsters but was quickly patched after about one to two weeks of being sold as a bot amongst the Lana Chat marketplaces. Methods like these are rare, the most common method I found in my investigation was using Point of Sales machines to cash out the cards, which will give the fraudster balance to a bank account, which can be easily converted to Bitcoin using exchanges such as Coinbase, Binance, or Kraken.

These are some sample screenshots of the popular cashout tools among the years. While the balances may seem low in these screenshots, old evidence indicates that millions of dollars were processed through bots like these and laundered through PayPal to be converted to Bitcoin by fraudsters.

To my understanding, an Australian giftcard website was the first to be cracked, which had no captchas and only required rotating residential proxies to hide the fraudster’s intents to crack giftcards. This website was especially vulnerable because once a valid card was entered into their system to have the balance checked, all the fraudsters had to do was crack the expiration date. To my understanding, the CVV was given to the user if the expiration date was correctly guessed. Most giftcards expire within 5-10 years, meaning there is typically only 50-100 combinations for expiration dates per PAN, making cracking not too hard. The website would also mark incorrect PAN combinations as non-existent, so only valid card numbers would have the expiration date guessed. After fraudsters saw how profitable this cracking scheme was, other websites were cracked using the FunCaptcha exploit, but many of these niches remain unknown because this is still a very new and active fraud market, so fraudsters avoid sharing private information that could result in their niche being too popular where it results in the victim company improving their security.

I am sadly only able to scratch the surface on the new cracking schemes as not even interviews with the most connected people in the community and research can answer some of my more technical questions about cracking due to how new it is. The fraudsters want to protect their new scheme to prevent it from being patched before they make ‘enough money’. It is integral that giftcard websites take proper precautions to protect user's information and properly secure their site against the bruteforcing of card numbers and related cracking attempts.

## New, High Balance Cards

In the past, the highest gift card balance was $500 – as most giftcard companies limited their giftcards to$500. However, recently, fraudsters found websites such as MyPrepaidCenter, a subsidiary of Blackhawk Networks, a tyrant in the giftcard market. MyPrepaidCenter is intensively lucrative to fraudsters because they have cards ranging to the tens of thousands of dollars that can be cracked and phished. Phishers and crackers even look to MyPrepaidCenter to target specific giftcards, as MyPrepaidCenter offers giftcard solutions for companies and even governments. For instance, on the MyPrepaidCenter, victims can check their employee reward giftcard balance, so fraudsters have begun targeting those giftcard niches by creating phishing clones of MyPrepaidCenter and associating the Google search keywords of the specific employee reward niches. A recent example of this was a wave of phishers who targeted an area’s unemployment program, who distributed funds via MyPrepaidCenter giftcards. When the employees went to check and then use the balance of the giftcard, some would fall for a phishing result identical to MyPrepaidCenter or have their giftcards already spent due to someone cracking giftcards having found the details to their giftcard. MyPrepaidCenter essentially is unique because it has ‘subniches’, there are unique giftcard programs with different BINs for MyPrepaidcenter.

## Fraud Amongst the fraudsters

Amongst this, there is lots of threats within the communities and frequent DOXXing. From my observation PVAZone, an aged Google Ads account merchant turned phisher is the most infamous and hated member of the community – resulting in numerous attempts of personal attacks via swatting and DOXXing to him. Aside from him, the aforementioned ‘Chinese’ is a frequent target of harassment with his pictures and DOX being frequently posted in an attempt to bully him. It is a very competitive market and if a phisher has competitors, it could result in real-world danger.

## Conclusion

I believe that prepaid giftcard fraud is one of the most prominent yet uncovered forms of fraud. Prepaid giftcard fraud is perpetrated via services like Google Ads and can be solved with better security on Google's side, but until then this will likely continue to be a problem. Forms of obtaining giftcards maliciously have been multiplying despite Google’s efforts to stop the giftcard phishing – involving tactics such as cracking.