Gift-card and loyalty-point fraud: the bot attacks nobody talks about

Ask a security engineer to name the bot attacks worth defending against and you will hear credential stuffing, scalping, scraping, maybe carding. Gift-card cracking rarely makes the list. Loyalty-point theft almost never does. Yet both run constantly, against endpoints that most companies never thought of as attack surface, and both end in money that nobody gets back.

The reason they stay quiet is structural. A drained gift card does not trigger a chargeback. A frequent-flyer account emptied of miles does not show up in card-network fraud statistics. The victim is a consumer holding plastic with no fraud rights, or a traveller who logs in one day to find the balance gone. The retailer or airline absorbs the reputational hit and rarely publishes numbers. So the attacks generate almost no public telemetry, which is exactly why a senior engineer building a defense has so little to work with. This post is an attempt to fill that gap with what is actually documented.

Here is the route. First, the anatomy of a gift-card balance-check endpoint and why it is a near-perfect target. Then GiftGhostBot, the one large campaign that got named and measured, and what its traffic shape tells you. After that, the OWASP taxonomy that classifies these attacks, because the names matter when you are mapping defenses. Then loyalty programs, where the cash-out chain is longer and the points behave like an unregulated currency. Finally, why the category is under-discussed, and what a defender can realistically do at the edge.

The balance-check endpoint is a free oracle

Start with the mechanism, because the attack falls out of it directly. Almost every retailer that sells gift cards also offers a way to check a card’s balance. You type the long card number, maybe a PIN or security code, and the page returns a dollar amount. That endpoint exists for a good reason. People lose track of what is left on a card and want to know before they reach the register.

The problem is that this is an oracle. Submit a candidate number, and the server tells you whether it corresponds to a real card and how much value it holds. There is no account to log into, frequently no rate limit worth the name, and on a lot of older implementations no CAPTCHA. The endpoint was built for a human checking one card, and it answers a machine checking a million the exact same way.

What makes the oracle exploitable is the structure of the card numbers themselves. If a merchant generates card numbers sequentially, or with any scheme where a future number can be derived from a past one, the search space collapses. An attacker buys a handful of physical cards from a store shelf, reads the printed numbers, and infers the pattern. F5’s writeup on the attack describes how reconnaissance against the numbering scheme can shrink an effective 16-digit space down to roughly 8 digits of real entropy. That is the difference between an impossible brute force and a trivially cheap one. Visa’s own guidance on enumeration attacks treats predictable numbering as the root enabler across the whole card-testing family, gift cards included.

*The endpoint returns a usable signal on every request. A non-zero balance is a hit; the attacker keeps it, the rest are discarded.*

Once a number returns a balance, the attacker owns spendable value. No password, no identity, no further compromise. They can buy goods directly, or list the card on a secondary marketplace. F5 names Raise.com as the kind of resale venue where cracked cards get laundered into clean money, because a buyer there has no way to know a card’s history. The value moves one step away from the crime and becomes very hard to claw back.

This is where the consumer-protection gap bites. A gift card is not a credit card. The fraud-liability rules that let you dispute an unauthorized charge do not apply to stored-value gift cards, which the Consumer Financial Protection Bureau’s prepaid rule explicitly carves out. A staff attorney at Consumers Union put it plainly: gift cards are not covered by the fraud laws that govern other plastic-card transactions. When a balance vanishes, the consumer eats the loss unless the retailer chooses to make them whole. Some do, usually after a journalist calls. Most do not. That single legal fact is why the attack is durable. The economic loss lands on someone with no leverage and no reporting channel, so it never enters the statistics that would make anyone prioritize a fix.

GiftGhostBot, the one campaign that got measured

For an attack this common, there is shockingly little named, dated, quantified public record. The exception is GiftGhostBot, and it is worth walking through in detail because it is close to the only large gift-card-cracking campaign with real numbers attached.

Distil Networks, later absorbed into Imperva, first detected the campaign on 26 February 2017. It ran against nearly 1,000 customer websites worldwide. On at least one retailer the traffic peaked at over 4 million requests per hour, roughly ten times that site’s normal volume. The campaign peaked on 8 March and dropped off again around 13 March. Those dates and figures come straight from Distil’s own writeup, and they are about as precise a picture as the public has of any campaign in this category.

The distribution numbers are the interesting part for a defender. Distil reported the bot rotating through an average of 6,400 unique device fingerprints per hour, 6,500 user agents per hour, and 29,000 IP addresses per hour. Read those together. The attacker was not hammering from one box. It was spreading the same logical attack across tens of thousands of network identities and thousands of synthetic browser identities every hour, specifically to defeat per-IP and per-fingerprint rate limits. Each individual identity stayed under the threshold that a naive counter would flag. The aggregate was an order-of-magnitude traffic spike that only showed up if you were looking at the endpoint as a whole rather than at any single client.

*The figures are hourly averages reported by Distil. The point is not any one number; it is that the attack was built to spread thinly across identities so no single counter would trip.*

The campaign also adapted. Distil described the bot cycling through several attack profiles. As defenses knocked out the earlier ones, the operator switched to iPhone and Android profiles routed through mobile ISPs, which raised the per-request cost roughly fivefold but bought traffic that looked like ordinary phone users and was far harder to filter on network reputation alone. That is the arms-race shape you see across every mature bot category. The defender raises the cost; the attacker pays it if the value on the other side justifies it. With stored-value cards sitting at the far end, often it did.

Distil’s recommended defenses were the obvious first layer: put a CAPTCHA on the balance-check page, rate-limit gift-card requests, and watch for the traffic anomaly at the endpoint level. Those help, but the rotation numbers above show why they are not sufficient on their own. A per-IP limit means little against 29,000 IPs an hour. A device-fingerprint counter means little against 6,400 fingerprints an hour. This is the same problem that makes credential stuffing hard, and the same family of distributed, low-and-slow techniques that modern anti-bot vendors are built to catch. If you want the deeper version of how those vendors reason about a distributed, identity-rotating campaign, the DataDome detection model post covers the first-request signal collection in detail.

One detail about GiftGhostBot that gets lost in the retellings: the campaign was loud. Four million requests an hour, ten times baseline, is not a stealthy operation. It got caught and named precisely because it was big and fast. The quieter version of this attack, a few thousand requests a day spread across a residential proxy pool, generates no headline and no writeup. That is the version running right now against endpoints that never made the news, and it is the reason the public record is so thin. We have one well-measured campaign and a long invisible tail.

The taxonomy: token cracking, not card cracking

The names matter when you are mapping a defense to a control, so it is worth being precise about where gift-card attacks sit in the OWASP Automated Threats to Web Applications catalog. People reach for the phrase “card cracking” and assume OAT-010. That is the wrong box.

OAT-010 Card Cracking, in OWASP’s own words, is about identifying missing start and expiry dates and security codes for stolen payment card data. It targets the PAN-plus-CVV problem on real credit and debit cards. Gift-card balance enumeration is a different threat. OWASP classifies it under OAT-002 Token Cracking, summarized as the mass enumeration of coupon numbers, voucher codes, discount tokens, and so on. The catalog lists gift-card enumeration explicitly among token cracking’s aliases, alongside coupon guessing and voucher enumeration. The distinguishing idea is that a token grants some benefit inside the application, whether a cash alternative, a non-cash credit, a discount, or access to a limited offer. A gift card is exactly that: a token that resolves to a balance.

*Two entry threats feed one exit. Token cracking finds value on cards; credential cracking finds value in accounts. Both converge on cashing out.*

That precision is not pedantry. It changes the control you reach for. OAT-010 lives next to payment processing and gets help from issuer-side velocity checks and 3-D Secure. OAT-002 lives on a public, often unauthenticated marketing or support page that the payments team may not even consider in scope. Different owner, different telemetry, different fix. Calling it card cracking can send the defense to the wrong team.

The exit threat for both gift cards and loyalty points is OAT-012 Cashing Out, defined by OWASP as buying goods or obtaining cash using validated stolen payment-card or account data, frequently routing goods through a reshipper to obscure the trail. Token cracking finds the value. Cashing out extracts it. In between, for the loyalty side, sits OAT-007 Credential Cracking, the brute-force and stuffing of login credentials that opens the account in the first place. Keeping the chain straight, find the value then move the value, is what lets you reason about where to interrupt it. Sometimes the cheapest place to break the chain is not the enumeration step at all but the cash-out step, where the goods have to ship somewhere physical.

Loyalty points: an unregulated currency with a soft login

Loyalty points are a stranger target than gift cards, and a more lucrative one. The reason is that points are money the issuer printed itself, sitting in an account protected by nothing more than an email and a password.

Start with the scale. The float in airline frequent-flyer programs alone runs into the tens of billions of dollars of redeemable value, and reporting around airline programs has put the figure in the same range as the carriers’ core operations. Industry estimates put loyalty fraud losses across travel and hospitality at over a billion dollars a year. Group-IB documented a 30 percent rise in airline loyalty-fraud cases in 2022 over 2021, touching more than 75 airlines, and a separate body of reporting cited a 166 percent surge in bot attacks on airline sites across 2022 and 2023, with airline account-takeover fraud up 30 to 40 percent in the same window. The numbers vary by source and should be read as directional, but every source points the same way: up and to the right.

The login is the weak joint. Loyalty accounts overwhelmingly authenticate with a plain email-and-password pair. Multi-factor authentication is rare, passkeys rarer still. That makes the account a textbook target for credential stuffing: an attacker takes a list of email-password pairs leaked from some unrelated breach and replays them against the loyalty login, betting on password reuse. A meaningful fraction of accounts open. The compounding factor specific to loyalty is dormancy. A large share of loyalty accounts sit inactive for long stretches, and reporting in this area has put the inactive-or-infrequent share near 45 percent. A dormant account is the ideal victim. The points keep accruing, nobody is watching the balance, and the takeover can sit undetected until the moment of cash-out.

*The bot does the first three steps at volume. The last step is what makes the loss permanent, because redeemed points are nearly impossible to trace.*

Cash-out is where loyalty diverges from gift cards and gets interesting. Points are not directly spendable as cash, so the attacker has to convert. The common routes, documented by fraud-prevention vendors and threat intel teams, run through transferring points to a mule account, redeeming them for gift cards or merchandise, booking discounted travel for resale, or pushing value through a partner program where the points become goods one hop removed from the airline. Group-IB’s investigation showed flights resold at steep discounts, on the order of 60 percent off, funded by stolen miles. Once that conversion happens the points are effectively laundered. Redeemed points are notoriously hard to trace, and the moment value crosses into goods or a partner’s books, the path back to the original account theft goes cold. The same darkweb marketplaces that move stolen cards also move loyalty accounts wholesale; breached hotel and airline account lists, sometimes in the hundreds of thousands of records, circulate the same way leaked password dumps do.

There is a second loyalty vector worth naming because it does not involve breaking into anyone’s account: customer-service social engineering. Group-IB documented operations that stand up fake call centers with US-format numbers, seed them across social platforms and counterfeit airline pages, and wait for victims to call in. From there the operators harvest credentials and card data directly, sometimes attempting to install a remote-access trojan on the victim’s machine. That is not a bot attack in the request-flooding sense, but it feeds the same monetization pipeline, and it shows how the value sitting in a loyalty account pulls in attack techniques from well outside the web layer.

On the defensive side, the loyalty problem looks a lot like account-takeover defense generally, because that is what it is. The signals that flag a stuffed login, an impossible-travel location change, a sudden burst of redemption activity, a device that has never touched the account before, are the same ones covered in the account-takeover detection post. What loyalty adds is a redemption-side check: even a legitimately authenticated session should not be able to drain a long-dormant balance into gift cards in one sitting without tripping something. The cold-start nature of dormant accounts is exactly what makes the behavioral baseline hard, which is the same difficulty discussed in the behavioral biometrics cold-start writeup. With no recent legitimate activity to compare against, the system has no normal to deviate from.

Why nobody talks about it

Pull the threads together and the silence has a clear explanation. It is not that the attacks are rare. It is that almost nothing about them produces a public number.

A drained gift card generates no chargeback, so it never enters card-network fraud reporting. The CFPB prepaid rule keeps gift cards outside the dispute framework, so there is no regulator collecting incident data the way there is for unauthorized card charges. The consumer who loses the balance has no fraud-reporting channel that leads anywhere, and the retailer who absorbs the loss has every incentive to keep quiet about a balance-check page being abused. Loyalty fraud is worse on this axis: the loss is denominated in points, a currency the issuer invented, so it does not even map cleanly to a dollar figure on anyone’s books until a redemption forces the issue. Airlines and hotels treat loyalty-fraud numbers as commercially sensitive and rarely publish them.

The result is an attack category that runs at scale with almost no public telemetry. GiftGhostBot is the exception that proves it. We remember it because it was loud, fast, named by a vendor with a product to demonstrate, and measured. The quiet, distributed, residential-proxy version of the same attack is the norm, and it leaves no headline. Compare that to scalper bots, where a sold-out concert is visible to everyone and the press writes itself, or to a layer-7 DDoS that takes a site down in front of customers. Gift-card cracking takes value without taking the site down. The page stays up, returns balances, and quietly serves an attacker. Nobody outside the security team ever sees it.

There is a defensive lesson buried in the silence. Because the attack hides inside legitimate-looking endpoint traffic, the per-IP and per-fingerprint counters that catch crude bots are the wrong tool, as GiftGhostBot’s 29,000-IPs-an-hour rotation showed. The endpoints that need watching are the ones nobody classified as sensitive: the balance checker, the coupon-validation form, the points-redemption flow. They have no login, so they fall outside account-security monitoring. They handle no card payment, so they fall outside payments monitoring. They sit in a blind spot between two teams, which is exactly why they get attacked. A defender’s most useful move is unglamorous: inventory every endpoint that resolves an opaque code to a stored value, and treat each one as the oracle it is.

What the silence costs

The honest summary is that the data here is thinner than the problem deserves. One well-documented campaign from 2017, a scattering of vendor writeups with directional figures, an OWASP taxonomy that names the threats cleanly, and a large dark space where the actual ongoing volume lives. That space is not empty. It is unreported.

The structural cause is worth sitting with, because it will not fix itself. Fraud gets attention in proportion to how loudly it complains, and these attacks were engineered, accidentally or not, to land on the parties least able to complain. A consumer with a worthless gift card and no chargeback. A traveller whose miles evaporated from a dormant account. A retailer absorbing a loss it would rather not advertise. None of them files into a system that aggregates the damage into a number an executive will act on. So the gift-card balance page keeps answering a million queries a day, the loyalty login keeps accepting stuffed credentials, and the only people with a clear picture of the volume are the attackers and, occasionally, the vendor watching the endpoint. When the public record of an attack category is one campaign from eight years ago, that is not a sign the category is small. It is a sign nobody is counting.

---

Sources & further reading

• Edward Roberts, Distil Networks / Imperva (2017), GiftGhostBot Attacks Ecommerce Gift Card Systems Across Major Online Retailers — the primary writeup with dates, request volumes, and the per-hour rotation figures.
• SecurityWeek (2017), Botnet Pummels Retail Websites in Hunt for Gift Card Balances — independent reporting on GiftGhostBot, including the mobile-profile escalation.
• OWASP Foundation, OAT-002 Token Cracking — the catalog entry that gift-card and voucher enumeration map to.
• OWASP Foundation, OAT-010 Card Cracking — the payment-card threat people confuse gift-card cracking with.
• OWASP Foundation, OAT-012 Cashing Out — the exit threat where cracked value and stolen accounts converge.
• F5 / Shape Security, Prevent Gift Card Cracking: Brute Force Enumeration — reconnaissance-to-monetization breakdown and the 98.5%-automated-traffic case.
• Visa (2023), Visa Guidance to Guard Against Enumeration Attacks and Account Testing Schemes — issuer-side framing of enumeration and predictable numbering.
• Bob Sullivan (2017), ALERT: Gift cards just aren’t safe — balance theft a growing threat, and consumers have no fraud rights — the consumer-protection gap and the CFPB prepaid-rule carve-out.
• Group-IB (2023), Stealing the extra mile: how fraudsters target global airlines in air miles and customer service scams — airline loyalty fraud mechanics, the 2022 case increase, and customer-service impersonation.
• HUMAN Security, What is loyalty fraud? — account-takeover, point-conversion, and bot-driven loyalty fraud overview.
• Accertify, Inside Loyalty Fraud 2.0: The Growing Threat to Airline, Retail, and Hotel Rewards Systems — dormancy, MFA gaps, and the rewards-as-currency problem.
• Transmit Security (2024), The Rise of Loyalty Point Fraud Targeting Travel & Hospitality — dark-web sale of points and breached travel-account lists.