Gift cards, anyone? Beware of Fraudulent and Malicious Hosts
Giving gifts all year round is normal, but a whole host of gifts are bought and sold, especially during the Christmas and holiday seasons. The end-of-year celebrations, unfortunately, also usher in the greatest number of gift card scams. But the world’s biggest brands are no longer new to the threat, which is why Amazon, iTunes and Target, among others, have set up pages where scam victims can report malicious sites and pages.
We’ve put together a list of websites that consumers looking to buy gift cards for family and friends should be wary of. We dug deeper into the 1,339 domains and 863 subdomains containing the “gift + card” string obtained from Discovery of domains and subdomains and found that:
- A total of 127 domains contained the names of world famous brands.
- Forty-one of the 1,339 domains were rated as “dangerous” by various malware engines.
- The 41 malicious domains were resolved to seven unique IP addresses, all of which hosted at least 300 other domains.
- Four of the 863 subdomains have been labeled as “dangerous” by various malware engines.
Note that we limited our dataset to domains and subdomains registered between September 1 and December 21, 2021. Why? Because many people start buying gifts at this time.
As part of our ongoing efforts to enable cybersecurity analysts and researchers to continue their studies, we have collected all relevant data and made it available to anyone interested. You can download the threat research material here.
Analysis and Findings
First, we looked at all 1,339 domains and found that at least 127 of them featured the names of global brands, such as Visa, Target, and Amazon. The table below shows abused brands and their respective domain volumes. Note that we only included domains that spelled brand names correctly.
The table below shows example domains for each of the top 10 abused brands.
|Ranking||Brand||Example domain from dataset|
|1||Visa||gift cardshopping centermygift-visasalegift card[.]com|
|2||Target||gift card target[.]com|
|3||Amazon||amazon e-gift card[.]com|
|4||Apple/iTunes||apple gift cards[.]phgetitunes gift card[.]pH|
|6||walmart||walmart gift card[.]com|
|seven||Chrome/Gmail/Google/Google Play||chrome gift card[.]com
gmail gift card[.]com
|ten||Xbox||xbox gift card[.]ml|
A massive malware check via Threat Intelligence Platform (TIP) revealed that 41 of the domains in our dataset are rated as “dangerous” by one or more malware engines. Examples include:
- gift cardshopping centermygift-visasalegift card[.]com
- gabbygift card[.]org
- gift card target[.]com
Users should refrain from accessing such malicious domains via blocking. Whenever possible, query dangerous web properties on DNS Lookup revealed that they resolve to seven unique IP addresses, namely:
Reverse IP Lookups for IP addresses showed that each hosted at least 300 domains, indicating that they are likely part of shared hosting services. Examples include:
- audience zone[.]com
- galactic programming[.]com
- sincere warrior[.]report
That said, seventeen of the additional domains that resolved to the same IP addresses as the malicious domains were also rated as “dangerous” by various malware engines. These are (site descriptions based on screenshot searches):
- magicrasolutions[.]com: Software development company page
- project g4l1c1a[.]X Y Z : Currently unreachable
- cjkddd[.]millilitre: Error page
- auto discovery[.]cp-objection-appeal-portal[.]millilitre: Currently unreachable
- apple-ltd[.]com: Currently unreachable
- apple-ltd[.]co: Currently unreachable
- alokdigitalmedia[.]com: Digital Marketing Services Site
- allcodegift card[.]X Y Z : Site home page
- aavkaro[.]com: Account suspension warning page
- 3615google[.]in: Currently unreachable
- 10082773[.]review: Account suspension warning page
- 1002983[.]review: Account suspension warning page
- 032972[.]X Y Z : Account suspension warning page
- 022299fedeex[.]com: Blank page
- 022289fedeex[.]com: Fake FedEx page
- 022279fedeex[.]com: Blank page
- 02-assistance-invoicing[.]org: Account suspension warning page
We then took a closer look at the 863 subdomains and found that four of them are particularly to be avoided because they are malicious. Dangerous subdomains are:
- gift card[.]ayurvedic[.]com
- www[.]gift card[.]ayurvedic[.]com
As we’ve seen in this article, gift card sites (even if they look real because they carry popular brand names) definitely have more to offer than meets the eye. Users looking to purchase gift cards for loved ones should heed Federal Trade Commission (FTC) advice – stick to stores (or, in this case, store sites) that they know and whom they trust. And if you end up being the victim of fraud, report the abuse to the authorities.
If you would like to carry out a similar survey, do not hesitate to Contact us. We are always looking for potential research collaborations.