The Giftcard Schemes

Prepaid giftcard schemes are one of the most lucrative yet uncovered schemes I've encountered. The plot of these schemes is ultimately to obtain giftcards, which will be sold on markets for about 50% of the value of the card. This is done primarily through two ways: cracking and phishing. From my research, giftcards have been being phished utilizing SEO results and Google Ads since about 2017. The cracking of giftcards appears to be much more recent, likely starting in early 2020.

The phishing & cracking scene for these giftcards in my experience has been very tight knit, with everyone knowing everyone else and a lot of key players centrally communicate in groupchats on Telegram with another. There is very little forum talk about these giftcards, due to many forums banning the discussion of these giftcard schemes. Namely, OGUsers.com has had their fair bit of problems with prepaid giftcard schemes and has completely banned them from site.

To analyze the prepaid schemes, I will begin at the traceable origins.

The "Beginning" of Prepaid Gift

The beginning of traceable prepaid gift card schemes begins at VanillaGift. In my research, I found people spreading these phishing campaigns via creating blackhat Google Ad campaigns advertising 'VanillaGift' and 'OneVanilla' as the search terms, and at the time Google did little to counteract these phishing campaigns. It wasn't until I'd estimate ~6-12 months after these big initial waves of campaigns. The method to create malicious ad campaigns was sold on Hackforums.net to about only 10 people to keep this method unsaturated. The source of this information from an early phisher in the prepaid giftcard phishing community, so it is possible there was a small phishing community for these giftcards via Google Ads before hand.

The phishing of prepaid giftcards was initially simple, there was hardly any cloaking for the ads. The phishers merely clone the website they wanted to phish, host an ad, users would visit, enter their card information, press submit, just to be redirected to the actual website where the victim could check their giftcard legitimately. This was to avoid raising any potential suspicious to the consumer, the phishers hope they will just think it was a glitch. Cloaking is a way to hide a phishing domain's intent from Google Ad employees that review domains and spiders meant to detect phishing website. The cloaking software detects the web spider and uses anti-bot mechanisms to show them a whitehat website, sometimes a WooCommerce shop that the phishers set up to fool Google. A very common 'front', the cloaked version of the website, was Vanilla cakes, for purposes of the Google Ad keyword aligning with the website sales. Sales at this time were also manual, so sellers had designated card resellers, who would sell on forums, Discord, and Telegram communities. Nowadays, the scene is a bit different with most cards being sold on automated bots. These prepaid cards are typically referred to as 'stonk' or 'stock', and the bots that sell the cards are sometimes referred to as 'boats'. It is also worth noting that the methods in which the fraudsters obtain the cards are frequently referred to as 'remos' amongst them, somewhat of an allusion to the SIM swapping scene. 'Remos', in this context, are just a word for methods, that the community enjoys saying jokingly.

It appears that the initial phishing sites worked for both computer and mobile phones, which is no longer true. To prevent Google Ad crawlers, the phishing pages that are currently hosted to phish prepaid giftcards are mobile-only for cloaking reasons. It is harder for Google to detect the phishing page as most web crawlers use a web-browser that is computer based. Cloakers weren't even used in the beginning of OneVanilla / VanillaGift phishing. Google Ads has had experience with abusers for years, but this was a new wave of phishing campaigns that they had not had to react to yet to my knowledge. The initial phishers were a small, competing group, competing to get the most visitors to their domain to maximize the number of cards phished.

The Original Malicious Google Ads For Prepaids

In the beginning, ads were short-lived. While Google Ads has been being abused for years, far before prepaid gift phishing, the fraudsters phishing at the time weren't experts at hosting Google Ads yet opposed to the rest of people abusing Google Ads, such as gambling providers (it is against Google ToS to advertise gambling websites). The phishers didn't know how to actively pay for their Google Ads, or didn't want to, and thereby had to make new campaigns every week. The phishers would link a 'VBA' (virtual bank account) with no balance, as they had no way to put money into the bank account, often referred to as 'loading'. The phishers needed a solution to put money, in Bitcoin for anonymity, into a virtual bank account or virtual credit card, to keep their ads living for longer. Campaigns would last a week, at high budgets, more specifically high 'bids' (high cost-per-clicks, to incentivize Google to rank the ad high), and then Google would try to collect the money from the phisher's bank, but the bank would be empty. It was important to have a high budget on the advertisement so that the advertisement would show up longer everyday. This would also be important to be ranked about VanillaGift's actual website's ads placement on Google, as the real website also runs ad campaigns under the same keywords as the phishers. This means that every week, the phishers needed a new domain, new hosting, new VBA, and had to then re-upload their site files, all on top of waiting for Google's manual approval for advertisements. At this time in phishing, most people didn't know about Google Ads quality scores and the multivariate equation that goes on to determine ad placement.

As time went on, likely mid 2018, Google patched this bug where phishers could get a free week of ads at Google's expense. Around this time, more people began getting ads, making advertising more competitive. Phishers would now begin launching attacks on each other on small scales if they had clashing keywords, for instance two people both trying to phish the keyword, "vanilla gift balance", would typically have problems with one another. Typically, people would try to sabotage each other's operations by reporting each other's ads to Google, the domain registrar, and hosting. On top of this, DDoS attacks would be launched and some fraudclicking would occur. Fraudclicking is the act of automatically clicking a Google ad, finding it by keyword on Google just like an actual user would, but thousands of times to waste the phishers budget. This would prove to be effect and still happens to this day through fraudclicking services, such as those on Hackforums.net.

Wars waged on amongst competitors in the space. People would even somewhat take formal business approaches like developing alliances with each other, promising not to fraudclick or DDoS each others advertisements. As time had went on, more and more people started filling the space, saturating the market severely. Google Ads would only then begin to detect fraudulent ads and people would begin integrating cloakers to prevent Google Ads detecting their ads. Cloaking services typically try to detect whether the visitor who has visited the phishing domain is a automated web crawler (an online bot that search engines use to index websites, such as ads), and redirects those visitors to a whitehat page, like a fake coffee shop on the same domain. There are other scopes of cloakers, there is geolocation detection, anti-bot detection, and also IP analysis to determine whether or not the IP is a "bad IP", such as out of the scope of the phishing operation (an Indian IP visiting an American gift card site). There is even separate further anti-bot services like AntiBot made purely to detect the flagging and phishing of the Google Ads. To be clear, the reason why services like these exist is to prevent search engine crawlers from detecting the malicious intent on their page, as search engine crawlers could index the page, realize it's a phishing attempt, and then suspend the Google Ads account associated with the domain. A part of this cloaking was that only mobile visitors could see the phishing page, to further prevent the crawlers from potentially seeing the ad. This is especially useful in circumstances of a Google Ads review, where the Google Ads employee reviews the ad, checking for malicious content. This started happening for this keyword much more often due to a spike of phishing. This likely has been Google's strongest way of preventing these particular campaigns. I am under the impression that some ads don't cloak off the computer user-agent webpage, but I am uncertain on whether I had gotten lucky in my research or not on that.

In my research, I also found that it wasn't uncommon for people to make custom cloakers for their purposes. This is because the approach some cloaking services take are somewhat predictable by Google and can raise flags, thereby making the ad more suspicious and more likely for takedown.

Google Improves

The Google Ads system had finally improved in what I estimate to be around 2019 or 2020. Google began heavily reviewing advertisements and their accounts, making it where it was much harder to maintain an ad. Now, you had to actually pay for the ad somehow, and you had to look legitimate to Google. This typically involves 'aged' accounts, accounts with previous campaigns, high-quality payment methods (which Russian accounts don't need), and consistent behavior on Google Ads. Google phishers would begin scattering looking for aged Google Ads accounts, reaching out to forums. At this point there was two main approaches, buying an aged Google Ads accounyt, or organically growing a whitehat phishing campaign ad. These ads would be much more difficult to maintain and would now require 'ad runners', people who obtain ad accounts and maintain the ads. This job has proven to be crucial to advertising and still is, as there is no campaign without ads. A common method to independently age an account is to use services like click.ru which will aggregate search engine rankings and increase success for Google Ads approval. It is also worth noting that Russian and other foreign ad accounts are advantageous opposed to U.S. often, despite the campaigns mainly targeting American or Canadian. This is because the ad rules tend to be less strict there due to jurisdiction, and just because the account is Russian doesn't mean that it can't run an American geo-targeted campaign.

But, this hasn't stopped the prepaid bandits. They now just employ ad runners and purchase aged ad accounts. From my research, there is a plethora of ways in which ad accounts can be obtained. Some accounts are purchased from Genesis.Market, a shop for cookies and logins of infected users. People looking to sell ad accounts will buy infected machines with Google Adword logins and attempt to secure the account. Some accounts are aged with whitehat campaigns with keywords like "vanilla cake" and use a cloaked website until the ad's budget is high enough to be worth phishing on. There are many techniques and innerworkings to run the ads that are private amongst the community to my understanding. Some include how to maximize 'quality score' of an ad, making it look good in Google's eyes and high in SEO ranking. Some people are so familiar with Google Ads that they sell Google Ads 'remos' (more so methods), giving advice on how to maintain and grow a blackhat ad. I do not have access to this, but in an interview with an ad runner I was informed that these methods decrease your odds of being taken down by Google, and can help you get an ad approved in the first place.

Niches & Sales

Since the creation of prepaid phishing the ad market was competitive. This resulted in people keeping the premise of using Google Ads to phish giftcards, but choosing different franchises to phish. For instance, initially OneVanilla and VanillaGift were popular, people moved on and began phishing MyPrepaidCenter. This is because they are less saturated amongst the community, decreasing the competition to show up at the top of Google's search engine and additionally potentially could fly under Google's radar easily. It is assumable that Google after about 50 ads figured out how OneVanilla phishing was being operated, but a new 'niche' may be harder to catch onto. Another benefit is that once these fraudulent cards are phished enough and used by fraudsters, companies begin restricting the capability of the 'BIN'. The BIN is the identifying first 6 digits of a card that identify which company distributes the card. The companies that accept card, such as DoorDash, begin restricting the BIN due to a high rate of chargebacks, as the fraudsters use the card on DoorDash and the victim, the one who was phished, reports the card as hacked, resulting in the card distributor charging back the funds used by the fraudster.

All BINs are not equal to my understanding. Some BINs are more useable due to features like 'tokenization' (being able to connect to Apple Pay), and not being geo-restricted (restricted in area of use). High demand BINs tend to have high balance capability ($100-$1,000+) and are sold quick and to private buyers. While many general sales happen through autosale bots in the community on Telegram, some phishers delegate all sales of certain BINs to people who consistently will buy. If you have a consistent consumer, it is often easy to just obtain the cards and sell them to the consumer, as you can both trust them and rely on them to buy more cards.

Sales are conducted through two ways of these cards, on Telegram automated sales bot such as "Lana's Stock Bot" and Rain's "Prepaid Bot". Before this, there were other bots such as Olympian Stock Bot. Along with these sales bots came cash out bots, which is what amplified the prepaid fraud scene significantly.

Cashout Bots (Discoli, Chinese, and more.)

Cashout bots became popular in 2020 amongst the prepaid giftcard community. Users would be able to buy access to the bot and input phished cards into the bot, which would have their balance spent. A big concern of buying giftcards is the concern that the card will decline, or that the card's balance will be spent by the actual owner before the fraudster manages to 'cashout' the card. Mahk's bot appeared to be the first, as he was a large supplier in the community in early 2020, but it was low quality. The cards would frequently decline as Paypal would detect that the transaction was fraudulent. Eventually, Mahk would leave the community and this bot would cease to exist, but it wasn't very popular anyway. People who purchased phished cards at the time were always looking for new methods to exchange the card's balance for Bitcoin (as Bitcoin allows for re-investment into the cards and is untraceable), so Mahk's bot wasn't too important regardless. Many methods at the time avoided PayPal, as PayPal's fraud detection was okay at the time and would frequently induce holds. This would all soon change.

Next after Mahk's bot came Discoli's bot, probably the most famous person involved in the prepaid giftcard schemes, even having an article where Kreb's talks about Discoli's hack of the OGUsers database here. Discoli bot was invite only and had an associated group, the "Disco Dogs", full of people cashing out cards using the Discoli bot. They even had a group on OGUsers, which was banned by head admin Omie, which came along with the ban of all discussion of prepaid sales onsite as OGUsers at the time was further separating themselves from fraud. Discoli Bot was a massive hit and included exploits in PayPal to bypass security mechanisms, having high 'success rate', meaning cards didn't decline nearly as often as using cards manually. This made the fraud scene very efficient and attracted lots of attention to outsiders, as making money at this time had become significantly easier with the bot. Competing bots arose, namely Chinese's Cashout Slave, which was short-lived and ended in a stunt where the owner pretended that he was arrested so he could close the bot without the users being mad they lost their $150 deposit to use the bot. This bot was notably lower quality and lacked any exploits, but was still a step up from Mahk's. This bot was used by mainly people who weren't yet invited to Discoli's cashout bot.

Discoli bot rose some other services as well. While the bot was very powerful, it required a PayPal account that could handle thousands of dollars of transactions without raising flags at PayPal, which means the receiving account must be aged, which isn't common. Aged PayPals require both time, effort, and some knowledge of proxies. The bot used PayPal features like invoice, friends and family payments, along with donations to facilitate payments to one central PayPal account. The fraudster that owned the PayPal account was then left with the role of converting that PayPal to Bitcoin, typically using forum exchangers or sites that had this feature integrated (which are extremely rare to come by due to this type of fraud). Some fraudsters offered loading services using the bot, meaning that people could send their PayPal email and they could pay 65% of an amount, such as 65% of $300, to receive $300 PayPal, and the funds were put onto the account using Discoli's cashout bot at around 40-50% of the cost of the card's balance by the fraudster. After a while, sources say Discoli was raided by police, resulting in him closing the bot, moving countries, and keeping a low profile mostly. His spot would later be filled with bots like Trident & Lana's "Olympian Cashout Bot", paired with their "Olympian Stock Bot", which cashed out cards to Stripe accounts. This wasn't as popular as the Stripe account had to be aged too, which was even harder to age than a PayPal and less common to be bought and sold on illicit forums. Obviously the manual cash out market remained, using any possible site that wouldn't block purchases under the phished BIN. The most recent bot to be in the community was particularly strong, it used gambling site Hypedrop to deposit funds from the phished card and the site allowed for Bitcoin withdrawals, without PayPal as a middleman. This was idealistic for fraudsters, but was quickly patched after about one to two weeks of being automated. Methods like these are rare, the most common method I found was using Point of Sales machines to cash out the cards, especially amongst foreigners from my analysis.

These are some sample screenshots of the popular cashout tools among the years. While the balances may seem low in these screenshots, old evidence indicates that millions of dollars were processed through bots like these and laundered through PayPal to be converted to Bitcoin by fraudsters.

Giftcard Cracking

Many fraudsters on top of phishing also actively partake in cracking. The most common niches I've observed this happen to is MyPrepaidCenter & Universal Giftcard Australia. It is worth keeping in mind that the main targeted regions of giftcards are USA, CA, and AU. These cracking operations typically involve finding the BIN of the card issuer, generating all the possible permutations of the card that conform to Luhn's Algorithmn, and then testing if the card is an active, existing card on the website. Many websites prevent this by preventing many request from 1 IP and requiring a captcha, but hackers have found a bypass to this. A prominent member of the previously active 'Wylin' group in the prepaid community had a FunCaptcha exploit that allowed people to crack cards without the delay of waiting on a captcha to be solved. It is unclear whether or not this exploit still works, but I do not believe it is still being sold. Exploits like these were used to crack hundreds of thousands of cards, and in an interview I was informed over $2,000,000 of giftcards were obtained just as a result of cracking the week after the first niche had begun being cracked.

To my understanding, an Australian giftcard website was the first to be cracked, which had no captcha and at most required proxy rotation to prevent being blocked for many request from one IP. This website was the first to be cracked as once a valid card was entered into their system to have the balance checked, all the fraudster had to do was crack the expiration date. To my understanding, the CVV was given to the user if the expiration date was correctly guessed. Most giftcards expire within 5-10 years, meaning there is typically only 50-100 combinations for expiration dates, making cracking not too hard. After this, other niches were cracked using the FunCaptcha exploit, but many of these niches remain unknown due to the fact that this is still a very new and active fraud market.

I am sadly only able to scratch the surface on this subject as not even interviews with the most connected people in the community & research can answer some of my more technical questions about cracking due to how significant it is to fraudster's income at the moment. It is integral that giftcard websites take proper precautions to protect user's information and properly secure their site against the bruteforcing of card numbers and related cracking attempts.

New, High Balance Cards

In the past, typically the highest gift card balance that was seen was $500. This was until the introduction of high balance niches like MyPrepaidCenter, which is a subsidiary of Blackhawk Networks. MyPrepaidCenter is so lucrative because they have cards ranging to the tens of thousands of dollars that can be cracked and phished, such as unemployment cards and employee benefit cards. Phishers and crackers are now attempting to target these more specific, narrow card usage as even though there is less overall card submissions, all the submissions are high balance and will sell easy to constant consumers. This is also a widely developing scene that I am unsure the longevity of, all MyPreaidCenter can do is fight back against the fraudsters via better fraud detection and Google persistently monitoring advertisements.

SEO Phishing

Some people in the giftcard phishing community have managed to phish giftcards via just SEO rank. Some websites have low search engine placement, thereby hackers realize this and try to overtake their spot on Google's search engine using similar domains and perfect clones of the actual website. This is done typically using malicious search engine tactics, but I am unsure on the specifics of this due to how uncommon it is.

Various Giftcard Phishing

Niches also aren't limited to just typical prepaid giftcards that translate to purely real-world cash. Some people are currently experimenting with phishing Walmart Giftcards & Target Giftcards in an attempt to seize an unsaturated market, as the amount of competition for some fraudsters is overwhelming. This too is somewhat of a relatively undeveloped scene, but in my research, I have found ads that successfully used keywords related to Walmart Giftcards to phish users. These ads connected back to some of the same people perpetrating the similar prepaid giftcard schemes mentioned in this article.

Fraud Amongst the fraudsters

In my research, a funny story I came across reminded me of the lack of honor amongst the thieves. There are 'balance checkers' in the community, to quickly check the balance of a phished giftcard, meant for bulk checking of 100+ cards, that steal cards from the phisher. The phisher submits the cards to be checked, receives accurate results, but the owner of the balance checker will also then attempt to sell or cashout the card the phisher checked the balance of. The reputation of those bots is typically very low, but some people who aren't aware that the bot is a scam will take a week to learn their lesson when they realize their cards are losing balance soon after being checked which normally wouldn't happen (as consumer spending habits are very obvious when compared to how fraudsters cash out cards). Another method of 'fraud amongst the fraudsters', is when buyers demand to buy a card on the condition it is 'PoS' (pay on success, not to be confused with point of sales, a cashout method), and the buyer spends the card without paying the fraudster the agreed upon rate of the card's balance.

Amongst this, there is lots of threats within the communities and frequent DOXXing. It is not uncommon to see someone being globally hated, from my observation PVAZone, an aged Google Ads account merchant turned phisher is the most infamously hated member of the community. Aside from him, Chinese is a frequent target of harassment with his pictures and DOX being frequently posted in an attempt to bully him. It is a very competitive market and if you are hated amongst the phishers it could prove real-world danger.

Conclusion

I believe that prepaid giftcard fraud is one of the most prominent yet uncovered forms of fraud. Prepaid giftcard fraud is perpetrated via services like Google Ads and can be solved with better security on Google's side, but until then this will likely continue to be a problem.