EXECUTIVE SUMMARY
Researchers have uncovered a large-scale scam operation involving 276 auto-generated domains designed to lure users into fraudulent gift card offers. The campaign primarily targets individuals seeking free or discounted gift cards for platforms like Google Play, Amazon, and Roblox. These domains follow structured naming patterns, creating a façade of legitimacy while redirecting victims to deceptive landing pages. Once users arrive at these sites, they are prompted to perform various tasks, such as signing up for services via affiliate links, downloading browser extensions, or submitting personal details. The scam’s infrastructure relies on a centralized set of nameservers and a single IP address, indicating a well-organized operation. The extensive use of redirection chains further complicates tracking efforts, making it challenging for victims to identify the source of the scam.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Researchers have uncovered a large-scale scam operation involving 276 auto-generated domains designed to lure users into fraudulent gift card offers. The campaign primarily targets individuals seeking free or discounted gift cards for platforms like Google Play, Amazon, and Roblox. These domains follow structured naming patterns, creating a façade of legitimacy while redirecting victims to deceptive landing pages. Once users arrive at these sites, they are prompted to perform various tasks, such as signing up for services via affiliate links, downloading browser extensions, or submitting personal details. The scam’s infrastructure relies on a centralized set of nameservers and a single IP address, indicating a well-organized operation. The extensive use of redirection chains further complicates tracking efforts, making it challenging for victims to identify the source of the scam.[emaillocker id="1283"]
The analysis reveals that all 276 domains in the campaign resolve to the same IP address and are controlled through a centralized system. Attackers employ a Traffic Distribution System (TDS) to funnel users through intermediary domains before landing them on deceptive reward sites. The redirection process typically follows a pattern where users initially visit a seemingly legitimate promotional page, before being routed through TDS domains. This final redirection lands victims on scam websites, where they are encouraged to complete misleading tasks. These tasks, including form submissions and software downloads, enable attackers to harvest personal data and generate affiliate revenue. The complexity of the redirection chain not only obfuscates the scam’s origins but also allows attackers to adapt and modify their techniques dynamically.
This campaign exemplifies how attackers leverage automated domain generation and centralized infrastructure to execute large-scale scams efficiently. By exploiting users' interest in free rewards, scammers manipulate victims into compromising their data or generating revenue through affiliate fraud. The persistence of such operations underscores the importance of user awareness in identifying suspicious online offers. Security researchers continue to investigate the campaign under the identifier “gift_card_scam” to dismantle its infrastructure and mitigate its impact. Until more decisive actions are taken, users should exercise extreme caution when encountering unsolicited gift card promotions, avoiding interactions that could expose them to potential fraud.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Resource Development | T1585 | Establish Accounts |
| Initial Access | T1566 | Phishing |
| Execution | T1204 | User Execution |
| Persistence | T1176 | Browser Extensions |
| Credential Access | T1555 | Credentials from Password Stores |
| Discovery | T1083 | File and Directory Discovery |
| T1018 | Remote System Discovery | |
| Command and Control | T1090 | Proxy |
| T1071 | Application Layer Protocol | |
| Exfiltration | T1567 | Exfiltration Over Web Services |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/google-play-amazon-gift-card-using-100s-of-malicious-domains-to-steal-data/