External Threat Management

Meet the ‘Gift Cardsharks’ Behind the Massive Campaign Targeting Victims with Commercially Available Tools

Sophisticated, well-funded, and highly targeted cyber threat campaigns, many backed by adversarial foreign national governments, are targeting U.S businesses like never before. RiskIQ researchers have just uncovered another such campaign, and it's a big one.

Widespread and well-orchestrated, this latest campaign uses commercially available marketing tools to launch phishing attacks against potentially hundreds of organizations, many of which deal with gift cards. This cyber threat group's activities initially surfaced when investigative journalist Brian Krebs reported on the breach of IT supplier Wipro on his website Krebs on Security, explaining how Wipro's IT systems were compromised and used to attack the company's customers. However, RiskIQ data pointed to this cyber attack being far from an isolated incident.

In our latest Intelligence report named "Gift Cardsharks," RiskIQ shows how the campaign is, in reality, a far-ranging assault that exceeds the compromised infrastructure of Wipro and involves a long list of targets dating back to 2016. Although attribution cannot be confirmed, the group's numerous concurrent cyber attacks display hallmarks of some state-sponsored activity including specific infrastructure, impressive organization, and, likely, a financial motive.

Using our vast collection grid and unique external view of cyber threat actor operations, RiskIQ can piece together a more complete picture of this actor group and their cyber attack campaigns, tools, and possible motives. This report is by no means a comprehensive analysis but builds a detailed narrative of widely-reported events.

Infrastructure overlap in PDNS, WHOIS, and SSL certificate data sets allowed RiskIQ to build out a more comprehensive understanding of actor-owned infrastructure, possible targets, and a timeline of the cyber attack campaigns. This report is an analysis of these campaigns, their operators, and their targets.

Report highlights include:

  • The group leveraged widely used email marketing and analytics tools to create effective email phishing campaigns and appear legitimate to targets' network security.
  • The group primarily targets major gift card retailers, distributors, and card processors.
  • With access to this gift card infrastructure, the attackers use money transfer services, clearinghouses, and other payment processing institutions to monetize.
  • One of the PowerShell scripts used by the group, BabySharkPro, is often associated with North Korean cyber threat activity. However, this may have been a false flag put in place to mislead researchers.

Download the report today for a full analysis, as well as a list of historical IOCs.

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor