Gift cards, anyone? Beware of Fraudulent and Malicious Hosts

Giving gifts all year round is normal, but a whole host of gifts are bought and sold, especially during the Christmas and holiday seasons. The holiday season, alas, is also the one with the highest number of gift card scams. But the world’s biggest brands are no longer new to the threat, which is why Amazon, iTunes and Target, among others, have set up pages where scam victims can report malicious sites and pages.

We’ve put together a list of websites that consumers looking to buy gift cards for family and friends should be wary of. We dug deeper into the 1,339 domains and 863 subdomains containing the “gift + card” string obtained from Domains & Subdomains Discovery and found that:

  • A total of 127 domains contained the names of world famous brands.
  • Forty-one of the 1,339 domains were rated as “dangerous” by various malware engines.
  • The 41 malicious domains were resolved to seven unique IP addresses, all of which hosted at least 300 other domains.
  • Four of the 863 subdomains have been labeled as “dangerous” by various malware engines.

Note that we limited our dataset to domains and subdomains registered between September 1 and December 21, 2021. Why? Because many people start buying gifts at this time.

As part of our ongoing efforts to enable cybersecurity analysts and researchers to continue their studies, we have collected all relevant data and made it available to anyone interested. You can download related threat research papers here.

Analysis and Findings

First, we looked at all 1,339 domains and found that at least 127 of them featured the names of global brands, such as Visa, Target, and Amazon. The table below shows abused brands and their respective domain volumes. Note that we only included domains that spelled brand names correctly.

The table below shows example domains for each of the top 10 abused brands.

Ranking Brand Example domain from dataset
1 Visa gift cardshopping centermygift-visasalegift card[.]com
2 Target gift card target[.]com
3 Amazon amazon e-gift card[.]com
4 Apple/iTunes apple gift cards[.]phgetitunes gift card[.]pH
5 shein gift-card-shein[.]site
6 walmart walmart gift card[.]com
seven Chrome/Gmail/Google/Google Play chrome gift card[.]com
gmail gift card[.]com
123gift cardgoogleplay[.]pH
8 Bitcoin gift-bitcoin[.]cards
9 Nike giftcardunikeforbusiness[.]com
ten Xbox xbox gift card[.]ml

A mass malware check through Threat Intelligence Platform (TIP) revealed that 41 of the domains in our dataset are rated as “dangerous” by one or more malware engines. Examples include:

  • mygift-gift[.]cards
  • mygiftcardmall-giftcardmall-moncadeau[.]com
  • giftlove[.]cards
  • gift cardshopping centermygift-visasalegift card[.]com
  • mygift-giftcard-mall[.]information
  • sale-moncadeau-gift[.]cards
  • giftcardmall-mygiftcard-sale[.]com
  • gabbygift card[.]org
  • wwwgiftcardmallcommygift[.]com
  • gift card target[.]com

Users should refrain from accessing such malicious domains via blocking. Where possible, querying dangerous web properties on DNS Lookup revealed that they resolved to seven unique IP addresses, namely:

  • 35[.]185[.]44[.]232
  • 81[.]17[.]29[.]146
  • 198[.]54[.]116[.]49
  • 139[.]162[.]2[.]200
  • 103[.]129[.]97[.]199
  • 198[.]54[.]117[.]244
  • 198[.]54[.]126[.]161

Reverse IP searches for IP addresses showed that each hosted at least 300 domains, indicating that they are likely part of shared hosting services. Examples include:

  • a-flowering-sunflower[.]gitlab[.]io
  • 16plpersonalities[.]com
  • audience zone[.]com
  • banned[.]buzz
  • cahayabaliental[.]com
  • etoglobaltrading[.]com
  • fbsadvancedtechnology[.]com
  • galactic programming[.]com
  • sincere warrior[.]report
  • inovattaseguros[.]com

That said, seventeen of the additional domains that resolved to the same IP addresses as the malicious domains were also rated as “dangerous” by various malware engines. These are (site descriptions based on screenshot searches):

  • magicrasolutions[.]com: Software development company page
  • project g4l1c1a[.]X Y Z : Currently unreachable
  • cjkddd[.]millilitre: Error page
  • auto discovery[.]cp-objection-appeal-portal[.]millilitre: Currently unreachable
  • apple-ltd[.]com: Currently unreachable
  • apple-ltd[.]co: Currently unreachable
  • alokdigitalmedia[.]com: Digital Marketing Services Site
  • allcodegift card[.]X Y Z : Site home page
  • aavkaro[.]com: Account suspension warning page
  • 3615google[.]in: Currently unreachable
  • 10082773[.]review: Account suspension warning page
  • 1002983[.]review: Account suspension warning page
  • 032972[.]X Y Z : Account suspension warning page
  • 022299fedeex[.]com: Blank page
  • 022289fedeex[.]com: Fake FedEx page
  • 022279fedeex[.]com: Blank page
  • 02-assistance-invoicing[.]org: Account suspension warning page

We then took a closer look at the 863 subdomains and found that four of them are particularly to be avoided because they are malicious. Dangerous subdomains are:

  • gift card[.]ayurvedic[.]com
  • www[.]gift card[.]ayurvedic[.]com
  • gift-certificate-service-verification[.]com[.]fcs-world[.]org
  • www[.]gift-certificate-service-verification[.]com[.]fcs-world[.]org

As we’ve seen in this article, there are definitely more gift card sites (even if they look real because they have popular brand names) than meets the eye. . Users looking to purchase gift cards for loved ones should heed the advice of the Federal Trade Commission (FTC) – stick to stores (or, in this case, store sites) that they know and whom they trust. And if you end up being the victim of fraud, report the abuse to the authorities.

If you would like to carry out a similar survey, do not hesitate to contact us. We are always looking for potential research collaborations.

About Dora Kohler

Check Also

Asustor Lockerstor 4 Gen 2 (AS6704T) Short Review

When we reviewed Asustor’s two-bay Lockerstor 2 Gen 2 AS6702T earlier this year, we gave …