Digital asset theft: Easy money for cybercriminals

Digital asset theft is an easily monetized fraud that involves the theft and sale of gift card codes, reloads and pins

A grandfather goes to a store that sells gift and prepaid cards to buy his granddaughter a PlayStation card. The store gives the grandfather a code so the granddaughter can redeem this card by buying games or accessories for her favorite characters. However, when the girl tries to activate the card, they discover that the balance has already run out. This is an everyday example of fraud on the rise: digital asset theft.

What are we talking about when we use the concept of digital assets? This is a catch-all for various products, such as gift cards from a wide range of stores that can be redeemed in their e-commerce, cell phone top-ups, prepaid cards for online shopping, and access to streaming platforms such as Netflix, Dazn or Spotify…

The dynamics behind the theft of digital assets are effortless. Cybercriminals gain access to the activation codes of these products either by attacking end customers or intermediary businesses (such as the store in our example). Once they have them, they sell them to third parties. For example, a criminal group may offer Amazon or Google Play gift cards worth €50 for as little as €25. In such a way, the attacker makes a profit of 25 euros, and the person who illegitimately acquires the card saves another 25 euros.

In this article, we will analyze the theft of digital assets and the importance of combating a phenomenon that affects thousands of companies and consumers.

1. The cardization of digital assets: stores, video games, reloads…

Servitization is a critical process that has transformed the economic model in recent decades. This concept explains how businesses have gone from selling products to marketing recurring services that translate into constant revenue. Without going any further, the Software-as-a-Service (SaaS) model is part of this process.

Well, just as we talk about the servitization of the economy, we can also use a similar concept: carditization. Large multinationals in the textile sector offer their customers the possibility of purchasing gift cards, and, as part of their loyalty strategy, they give their customers vouchers redeemable in their e-commerce. But the carditization phenomenon does not end there. It is in full expansion thanks to the rise of online commerce and the proliferation of purchases and transactions carried out through websites and mobile applications.

For example, carditization is a crucially important phenomenon in the retail sector, as in the entertainment industry (video games, audiovisual, music…). A music-lover friend is having a birthday, and you don’t know what to give him because he no longer consumes physical music; why not give him a card so he can enjoy a streaming platform for free for half a year? Do you want to recharge the cell phone of a relative thousands of kilometers away so he can call you whenever he wants? It is also possible to restore prepaid cards from another country. Digitalization has forever transformed the way we consume, but it also brings a flip side: many criminals see the theft of digital assets as a criminal business that can get them huge profits.

2. Attack vectors and targets in digital asset theft cases

Criminals need to obtain legitimate activation codes of products or services before end customers proceed to use them and thus consume card balances. Therefore, the crux is how criminals can get hold of these codes before they are used legitimately.

It is, therefore, essential to address the attack vectors of criminals and their targets.

Tarlogic’s cyber intelligence and threat-hunting professionals have found that digital asset theft is a criminal practice that does not directly target the companies that offer these products. To put it bluntly, to get the activation code for an Amazon gift card or a Netflix pin, criminals do not target these multinationals with advanced security controls that make it difficult for an attack to succeed but instead focus on the supply chain and end customers. Why?

Companies such as Apple, Vodafone or Primark reach agreements with distribution companies that, in turn, work with thousands of final points of sale. In other words, small businesses that sell these cards and digital products act as intermediaries and do not have a cybersecurity strategy. These establishments, as well as their customers, are much more vulnerable to cyber-attacks to steal digital assets than the companies that own the assets and distribute the cards.

2.1. Points of sale

Therefore, the first attack vector for digital asset theft is in stores, kiosks, newsagents, grocery stores and other retail businesses. Nowadays, it is possible to get a gift card, make phone top-ups or get a card to pay online in hundreds of thousands of small establishments in our country.

If we walk around any city paying attention to the stores, we will discover how you can get cards and pins to access digital content or recharge prepaid cell phones in the vast majority of candy stores.

These establishments do not have the sale of digital assets as their primary source of business; they have little or no awareness of cyber threats, and, in addition, they work with several suppliers that are often in competition with each other. For example, a kiosk can top up Movistar and Digi or MásMóvil. They can also sell prepaid cards for spending on the Stream video game sales platform or sell pins for online payment methods such as Paysafecard or Neosurf.

2.1.1. Poorly protected equipment, a weak point for the theft of digital assets

What does this mean? The devices are not owned by multinationals but by small businesses that use them to manage top-ups and generate activation codes or pins to sell to end customers. So, the owners and distributors of digital assets have no control over the security of the equipment. Why? These computers are used to work with several companies and, in addition, the costs of securing them would be unbearable for a company, since we are talking about thousands of computers.

As a result, the computers from which the activation codes are generated are exposed to malware to steal the pins as soon as they are created.

In addition, there is a lack of digital training for the workers who sell the products and communication problems when it comes to informing the supplier companies about the theft of digital assets. This makes it challenging to manage security incidents and stop fraudulent activities.

2.2. Customers

The other primary attack vector is the end users of digital assets. Using social engineering techniques, criminals may try to gain access to consumer accounts on specific e-commerce or digital content platforms. With what aim? To steal the code of a gift card sent by a company to reward customer loyalty.

It is also possible to attack end customers through social engineering campaigns by tricking them into providing the activation pin to criminals. How? By impersonating the identity of the company supplying the digital product.

3. Social engineering and malware to obtain activation codes.

Once cybercriminals know their targets and attack vectors, they start their fraudulent activities. To do this, they use social engineering techniques such as phishing, smishing or vishing to obtain the activation codes directly or to deploy malware on their victims’ computers to gain access, such as info-stealers or spyware. Or even get the credentials to access the programs and platforms from which the codes are generated.

The way to proceed in the theft of digital assets is similar to other attacks. Hostile actors launch social engineering campaigns against their victims, for example, several small establishments that perform phone top-ups and market e-commerce cards and platforms. They send these businesses an email posing as a legitimate company to get the user to click on a link or download a document. This action will allow criminals to deploy malware that helps them access digital product activation pins.

Digital asset theft scams have also been detected in which outlets or their customers receive phone calls informing them of an issue when generating activation codes, requesting  them to verify them. The evasion is endless. Most attacks involve both an element linked to social engineering and impersonation, as well as the use of malware to infect the computers from which the codes are generated and carry out the theft of digital assets before the customers who have purchased them can use them.

4. Where are the stolen codes sold?

Outsiders to the cybersecurity industry may believe that this kind of fraud takes place on the notorious Dark Web. Still, cyberintelligence and threat-hunting professionals combating digital asset theft encounter a far more prosaic and less enigmatic reality.

The final phase of digital asset theft occurs in forums, Telegram groups, and even on the social networks of the companies whose assets are illegitimately traded. Yes, you read that right. Sometimes, companies post advertisements on social networks like Facebook or Instagram, and criminals use the comments to advertise their illegal business.

For example, consider an audiovisual streaming platform like HBO Max or SkyShowTime. The company advertises a TV series it has just added to its catalog, and a group focused on digital asset theft announces that it markets codes to enjoy the show. In this case, in addition to the theft of digital assets through code theft, there are other types of audiovisual fraud, such as account theft or the IPTV model.

The threat landscape is complex and diverse. Hence, multiple actors seek to enrich themselves by stealing digital assets and their subsequent sales. This implies not only having the ability to steal the codes but also being able to deploy an aggressive marketing strategy. This means that they compete with each other on open channels that allow them to reach mass audiences.

After all, the Dark Web is accessed by a few Internet users, while the official channels of multinational companies such as Apple or Amazon reach millions of consumers.

4.1. A twist: Appearance of legality

This whole issue becomes more complex if we include an extra element: some criminal groups can create websites that appear to be official and from which codes can be purchased to access, for example, a streaming platform. And they even offer a support service to their customers.

In such a way, many users acquire illegitimate codes without identifying that they are illegitimate, believing at all times that they are acting legally. This modus operandi is an excellent example of the sophistication reached in the theft of digital assets for subsequent commercialization.

5. The cat, the mouse, the theft of digital assets and their monetization

Technology is evolving at a pace never seen before in history. In cybersecurity, professionals are designing and developing techniques, tactics and procedures to optimize cyberattack prevention, detection, response and recovery capabilities. But, at the same time, cybercriminals continuously innovate their TTPs to anticipate cybersecurity professionals, cyber intelligence or Threat Hunting. It is what we commonly refer to as the cat-and-mouse game. A continuous race in the pursuit of excellence. What does this imply? The theft of digital assets cannot be stopped for good.

As with other fraudulent actions, digital asset theft can see an escalation in the complexity of attacks in response to improved security barriers and mechanisms. This is possible because the criminal groups are 100% professionalized and dedicate a lot of resources to design and implement attacks. Why? The theft of digital assets is a very lucrative fraudulent business, as they are easily monetized products.

5.1. Easy commercialization

If we go back to what we discussed in the previous section, we can see that digital content can be easily commercialized and quickly turned into money. The crux of this model does not lie in the value of the stolen products but in the amount of digital content that can be stolen and the ability to market it effectively.

In another class of cyber-attacks, for example, those launched against industrial companies to steal their intellectual property, the target is extraordinarily valuable, but its monetization is more complex. Whereas in digital asset theft, there are:

• Many digital products can be subtracted, and their number is increasing due to carding and digitization.
• Numerous points of sale with a precarious cybersecurity position and poorly trained professionals.
• Many potential consumers are willing to pay for illegitimate activation codes.

6. Cyber Intelligence and threat-hunting services to understand and anticipate criminals

Given what we have discussed throughout this article, we can conclude that the task for companies to combat digital asset theft is complex not only because of the level of knowledge, preparation and resources of the criminals but also because this kind of fraud involves other businesses that are part of the sales channel and lack cybersecurity mechanisms.

What can companies that market digital products and services do? Should they resign themselves to suffering the theft of digital assets and the associated economic and reputational damage?

Of course not. Just because digital asset theft cannot be eliminated does not mean that it cannot be contained and reduced to irrelevant figures that do not affect business models.

Cyber Intelligence and threat-hunting services play a crucial role in this task.

6.1. Cyber Intelligence

Cyber intelligence services specialized in fraud investigation and prevention are of vital importance.

As mentioned above, the theft of digital assets is an increasingly sophisticated malicious practice. Hence, it is critical to have specialized fraud analysis teams in the industry to combat online piracy, protect brand and digital products, and design customized solutions to curb fraudulent activities.

It is essential to understand that fraud is a behavior that will always exist, to know how it works, what technology it relies on, to have the ability to deploy decoy environments to analyze it closely and to notice the modifications it develops in response to each prevention measure, can only be achieved with a continuous understanding of how it works.

6.2. Threat-Hunting

Proactive threat-hunting services are also of great added value. Proactively detecting threats linked to digital asset theft and having effective incident response mechanisms in place is fundamental in combating these frauds.

Threat-hunting professionals focus on the TTPs of criminal groups to detect malicious activity quickly, understand their methodologies to adapt detection and response capabilities and stay one step ahead in the cat-and-mouse game.

In short, digital asset theft is an easily monetizable cyber-attack typology that affects not only companies that market this kind of product but also distribution companies, points of sale and, above all, end customers.

To face a constantly evolving threat landscape that sophisticates and perfects its techniques and tactics, it is essential to have the knowledge and experience of professionals specialized in cyberintelligence and Threat Hunting. Thanks to them, it is possible to successfully combat digital asset theft and prevent it from generating millions of dollars in losses that negatively affect companies and consumers.