GiftGhistBot  is stealing cash from gift cards (Image credit (Pixabay/KReimer)
GiftGhistBot is stealing cash from gift cards
Anna Westelius, Director of Engineering, Professional Services, Distil Networks (Image credit LinkedIN/Anna Westelius)
Anna Westelius, Director of Engineering, Professional Services, Distil Networks

Distil Networks is reporting that over 1,000 of its customers are under attack from a new advanced persistent bot. The APB called GiftGhostBot is attacking gift card sites. Anna Westelius, Director of Engineering, Professional Services, Distil Networks disclosed the details in a blog. She says: “GiftGhostBot, automatically checks millions of gift card numbers to determine which have balances, and was detected on February 26, 2017 and is still attacking websites.”

Gift cards are still popular with a lot of people. Relatives often use them as an alternative to giving money and they are often used as prizes in competitions. It should come as no surprise, therefore, that they have come under attack from cybercriminals. Westelius reports that the attacks are so bad that companies processing gift cards are no longer able to verify them online. Instead, when a customer attempts to use a gift card they are asked to call the processing centres to make the purchase.

Bots make this type of attack possible

GiftGhostBot is a fairly unsophisticated attack. It uses an algorithm to calculate a range of gift card account numbers. It then contacts the provider and requests the balance on the card. This type of attack, as pointed out by Westelius, is what bots excel at. It is simple and highly automatable. Once a valid card is discovered, the attack simply requests that the funds are moved elsewhere.

To show the scale of the attack, Westelius says that one retail site is seeing peaks request traffic exceeding 4 million requests per hour. This is almost 10x their normal levels.

Customers and retailers are victims of fraud

The attack leaves many customers the victims of fraud. The credit on their card has been taken by the cyber-criminals. With over 1,000 sites experiencing this type of  attack, it should come as no surprise that it is hurting both customers and businesses. The problem for customers is protection. Not all gift cards are protected against this type of attack. When that happens the problem spills over to the retailer. It has to balance the potential loss of a customer with the cost of refunding the money itself.

What should customers do?

If you have a gift card, even one that you have never used, Westelius recommends you check the balance immediately. She also recommends that people treat them like cash. This is because that us exactly what they are. Customers must realise that they are just as important and other financial items such as cash, credit and debit cards.

Westelius also says that customers MUST report any losses on their cards to the relevant authorities. In her blog post she lists the three main authorities in the US, UK and Europe. This is information that many customers struggle to find so it is useful to have it in the blog.

What can retailers do?

Westelius gives a list of things that retailers can do. Perhaps the most important thing is the list of IP addresses that Distil Networks has discovered link to this attack. Retails need to block all traffic from those sites and investigate any traffic that has been captured from their security systems around the attacks.

They should also consider ways to limit the requests for information about gift cards. As reported, one retailer was receiving 10x their normal hits. This alone should have triggered alarms. Some security systems for credit and debit cards immediately restrict the rate of requests when a sudden surge is detected. Retailers need to consider this type of mitigation for gift cards.


Gift cards are still popular and despite some high profile failures of some gift card schemes, they still take tens of millions of pounds every year. It is likely that most of us have gift cards stuck in a draw somewhere. We need to check them to stop cyber-criminals cashing on on them.


Please enter your comment!
Please enter your name here