Cybersecurity researchers at Palo Alto have recently uncovered a large-scale gift card scam campaign involving 276 stockpiled domains.
The scam targets users by advertising free or discounted gift cards for popular services such as Google Play, Amazon, and Roblox, luring victims into divulging personal information, downloading browser extensions, or purchasing services through affiliate links.
Scam Details and Tactics
The campaign employs a network of auto-generated domains that follow predictable patterns. These domains are designed to appear legitimate and include formats such as:
___deal.com___selling.com___codes.comoffer___.com___offer.com___eshop.com
Examples of these domains include kgmdeal[.]com, rgndeal[.]com, and ctadeal[.]com. All 276 domains resolve to the same IP address (198.12.86[.]90) and utilize a shared set of four nameservers, indicating centralized control.
The scam operates by redirecting users through intermediate Traffic Distribution System (TDS) domains like affgo[.]xyz to final destinations such as:
- 24.primerewardspot[.]com
- teedrowed[.]co[.]in
- gounrical[.]com
Users are prompted to complete tasks to claim their supposed gift cards at these final sites. These tasks include:
- Signing up for services via affiliate links (e.g., USA Today, Freecash[.]com)
- Downloading browser extensions
- Providing personal information such as contact details
Redirection Chain Examples
The redirection process is complex and designed to obscure the scam’s origin. For instance:
A user visiting ctadeal[.]com is redirected through affgo[.]xyz, which leads to final destinations like gounrical[.]com or 24.primerewardspot[.]com.
On these final pages, users are asked to complete tasks such as filling out forms with personal information or signing up for affiliate services.
This campaign highlights the persistent threat posed by cybercriminals leveraging deceptive tactics to exploit unsuspecting users. By using auto-generated domains and centralized infrastructure, the attackers ensure scalability and efficiency in their operations.
Cybersecurity experts urge users to exercise caution when encountering offers that seem too good to be true. Avoid clicking on suspicious links, downloading unverified extensions, or sharing personal information on unfamiliar websites.
This campaign has been tracked under the identifier “gift_card_scam”, and further investigations are ongoing to dismantle its infrastructure and mitigate its impact.
Equip your team with real-time threat analysis With ANY.RUN’s interactive cloud sandbox -> Try 14-day Free Trial