Giving gifts the whole year round is normal, but a whole boatload of presents are bought and sold most especially during Christmas and holiday seasons. The end-of-year holidays, unfortunately, also usher in the greatest number of gift card scams. But the world’s biggest brands are no longer newbies to the threat, which is why Amazon, iTunes, and Target, among many others, have put up pages where scam victims can report malicious sites and pages.

We collated a list of web properties that consumers looking to purchase gift cards for family and friends should be wary of. We dug deeper into the 1,339 domains and 863 subdomains containing the string “gift + card” obtained from Domains & Subdomains Discovery and found that:

• A total of 127 domains contained the names of world-famous brands.
• Forty-one of the 1,339 domains were dubbed “dangerous” by various malware engines.
• The 41 malicious domains resolved to seven unique IP addresses, all of which hosted at least 300 other domains.
• Four of the 863 subdomains were dubbed “dangerous” by various malware engines.

Note that we limited our dataset to domains and subdomains registered between 1 September and 21 December 2021. Why? Because many people begin buying gifts at this time.

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

Analysis and Findings

First, we scrutinized the 1,339 domains and found that at least 127 of them featured the names of global brands, such as Visa, Target, and Amazon. The chart below shows the abused brands and their respective domain volumes. Note that we only included the domains that spelled the brand names correctly.

The table below shows examples of domains for each of the top 10 abused brands.

A bulk malware check via Threat Intelligence Platform (TIP) revealed that 41 of the domains in our dataset are dubbed “dangerous” by one or various malware engines. Examples include:

• mygift-gift[.]cards
• mygiftcardmall-giftcardmall-mygift[.]com
• giftlove[.]cards
• giftcardmallmygift-visagiftcardbalance[.]com
• mygift-giftcard-mall[.]info
• balance-mygift-gift[.]cards
• giftcardmall-mygiftcard-balance[.]com
• gabbygiftcard[.]org
• wwwgiftcardmallcommygift[.]com
• targetcardgift[.]com

Users should refrain from accessing these malicious domains via blocking. Where possible, querying the dangerous web properties on DNS Lookup revealed that they resolved to seven unique IP addresses, namely:

• 35[.]185[.]44[.]232
• 81[.]17[.]29[.]146
• 198[.]54[.]116[.]49
• 139[.]162[.]2[.]200
• 103[.]129[.]97[.]199
• 198[.]54[.]117[.]244
• 198[.]54[.]126[.]161

Reverse IP lookups for the IP addresses showed that each hosted at least 300 domains, which indicates that they are probably part of shared hosting services. Examples include:

• a-sunflower-blooms[.]gitlab[.]io
• 16plersonalities[.]com
• audizonehearing[.]com
• bani[.]buzz
• cahayabalirental[.]com
• etoglobaltrading[.]com
• fbsadvancedtechnology[.]com
• galacticprogramming[.]com
• heartfulwarrior[.]net
• inovattaseguros[.]com

That said, seventeen of the additional domains that resolved to the same IP addresses as the malicious domains were also dubbed “dangerous” by various malware engines. They are (site descriptions based on screenshot lookups):

• magierasolutions[.]com: Software development company page
• g4l1c1aproject[.]xyz: Currently unreachable
• cjkddd[.]ml: Error page
• autodiscover[.]cp-objection-appeal-portal[.]ml: Currently unreachable
• apple-ltd[.]com: Currently unreachable
• apple-ltd[.]co: Currently unreachable
• alokdigitalmedia[.]com: Digital marketing service site
• allgiftcardcode[.]xyz: Site index page
• aavkaro[.]com: Account suspension warning page
• 3615google[.]fr: Currently unreachable
• 10082773[.]review: Account suspension warning page
• 1002983[.]review: Account suspension warning page
• 032972[.]xyz: Account suspension warning page
• 022299fedeex[.]com: Blank page
• 022289fedeex[.]com: Fake FedEx page
• 022279fedeex[.]com: Blank page
• 02-billing-support[.]org: Account suspension warning page

We then looked more closely at the 863 subdomains and found that four of these should especially be avoided since they are malicious. The dangerous subdomains are:

• giftcard[.]ayurvedarus[.]com
• www[.]giftcard[.]ayurvedarus[.]com
• giftcard-service-verification[.]com[.]f-c-s-world[.]org
• www[.]giftcard-service-verification[.]com[.]f-c-s-world[.]org

As we’ve seen in this post, there is definitely more to gift card sites (even if they look real because they bear popular brand names) than meets the eye. Users looking to purchase gift cards for their loved ones should heed the advice of the Federal Trade Commission (FTC)—stick to stores (or, in this case, store sites) they know and trust. And if you do end up getting defrauded, report the abuse to the authorities.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.