Hackers Use Password Phishing and Password Resets to Hijack Prepaid Gift Cards
Researchers with Sophos Security recently reported a network breach that was not focused on deploying ransomware or stealing information. Instead, the bad actors behind it were using their illegal access to steal prepaid gift cards, of all things.
The bad actors found their way onto a company's VPN server, most likely by phishing out the credentials of just one user. The company-operated VPN server did not have any form of multi-factor authentication set up and it was also not running the latest version of the server software.
It's not clear which venue of attack was used as both phishing and a vulnerability in the server platform are likely.
Once the bad actors were able to get on the company network, they used RDP and "jumped" across different machines. The hackers checked browsers for any accounts that users did not log out of. This included e-mail accounts with Gmail or Outlook. The e-mail accounts that they could get access to were used to reset passwords for services such as Google Pay, PayPal and Venmo.
In a stroke of luck, it appears that only few users on the compromised network had saved their credit card information for auto-fill and automatic purchases. In this way, the bad actors behind the attack only managed to buy a handful of prepaid gift cards before the intrusion was spotted and the attack was cut off.
In addition to attempting large-scale gift card purchasing, with many gift cards still awaiting checkout when the hackers were caught and abandoned their little operation, there was a secondary goal to the cyber attack. The attackers installed a file search tool on the compromised network, configuring it to look for personal data and sensitive company information.
The targets of the file searches included bank statements, details on drivers working for the company and credit card application documents.
There is no hard evidence what exactly the hackers managed to pull from the network before they were cut off.