(Analysis by Peled Eldan and Lena Frid)
We all shop online. How many times, just before placing an online order, have you noticed the Coupon Code option and wondered – Could I get it cheaper if I had a coupon code? Most of us will drop the order to go and look for an available coupon code. Some will skip this thought and continue with the purchase, feeling a bit gullible. A hacker, on the other hand, will probably have other ideas in mind...
Coupons have been used for over a decade by online retailers as a powerful advertising tool. As eCommerce rapidly expands, so does the number of online coupon codes offered to customers to attract their attention and replace the old printed ones. Today we can no longer ignore it; coupons have become an integral part of eCommerce. During 2017, as much as $3.1 billion was saved by consumers thanks to coupons! 90% of consumers use coupons, finding them from a variety of online and offline sources.
Despite this most online retailers take the security aspect of the coupon code mechanism for granted, keeping it too simple to abuse. And as long as easy money is up for grabs - hackers will be there to collect it.
In this post, we summarize why coupon codes are an easy target for hackers, what techniques hackers might apply to abuse the coupon code mechanism, and finally, what coupon code management policies should eCommerce retailers implement to stay protected.
Getting Coupon Codes
While online retailers manage a wide range of coupon codes (personal/public/targeted/short and long term, and so on), there are many places where hackers, as well as other consumers, can put their hands on the desired coupons:
- On the online retailer’s site – online retailers publish their own coupon codes, possibly for SEO purposes. For example GAP, Macy's
- Mailing lists – online retailers use this as a popular marketing technique
- Social media: Twitter, Instagram, Facebook, etc.
- Coupon code sites and Browser add-ons – dedicated websites (such as joinhoney.com, couponfollow.com, and coupons.com) that collect offers, either public ones provided by online retailers, or personal ones supplied by individuals, and gather them all "under one roof."
As you can see, there are plenty of sources where consumers are exposed to coupon codes. These sources are legitimate and do a good job persuading consumers that deals are worthwhile.
A typical consumer, exposed to all these data sources, will be satisfied with the variety of discount opportunities and redeem the desired coupon for personal use. A hacker, however, will search for a way to benefit from all this easily accessible data.
Coupon Code Hacking Techniques
You will probably ask yourself, why do hackers need coupons? Will they go e-shopping with them? Or will they try to get them just because they can?
A basic assumption is that hackers do not have much interest in minor discounts, as provided by newsletters/free shipping codes and so on. They will try to use the available information and resources to escalate to the "next level" and reveal some major discounts. Once they get what they are looking for, they can use it as barter on the black market.
Here are several standard techniques that are used to hack coupon code mechanisms:
A hacker can brute force the coupon code field value by trying all combinations of alphanumeric values of a certain length (usually 4 to 10 characters). Easier said than done, this technique is possible but strongly depends on the hacker’s available processing power. Guessing a 10-character long string can be a time-consuming task.
A much more efficient technique would be to use all available data to create a list of coupon code phrases, eventually defining a dictionary to brute force with: This could be a general dictionary that contains the most common coupon code patterns. For example, the 30 most used code phrases by retailers are:
With a few intuitive assumptions, a hacker can easily build a nice dictionary out of these, including some obvious patterns such as "SaveXX", or "extraXX". It’s worth mentioning that usually, coupon codes phrases are case insensitive. For example, "SAVE25" and "save25" are typically interpreted as the same coupon code, making it easier to guess.
Another option is to compile a custom dictionary, targeting a specific website, based on common patterns that were previously disclosed by the retailer.
Here is a real-life scenario:
After analyzing the most popular public coupon codes online, we identified a recurring pattern of "10% OFF". So we decided to test this pattern with increased discount amounts such as "90% OFF". Surprisingly 😊, it worked:
A hacker may try to exploit coupon code input validation by injecting SQL queries and obtaining sensitive information, resulting in extracting valid coupon codes or, if they get lucky, the entire coupon code database and more!
Here is a real-life scenario:
We tried to inject a popular SQL injection query "‘or 1=1--" and it revealed the valid coupon code "CLUB50".
A hacker can even take over the retailer’s eCommerce Admin panel, obtaining control of the entire coupon code database and management system.
Guess what? When you have access to the Admin panel, creating a 100% discount code and redeeming it without leaving major traces for the real Admin to notice is totally doable!
While most leading e-brands may have good input validation and strong anti-Brute Force protection, small online retailers may be unaware of the importance of safe coupon code mechanism management and stay vulnerable to the imposed threats.
Here are some general guidelines that should be implemented to stay protected against such attacks:
Choose your eCommerce platform wisely:
When using 3rd party eCommerce platform, make sure that the platform is secure, and keep track of existing vulnerabilities.
Regardless of whether you are using a 3rd party eCommerce platform or an internal one, make sure you also stick with the following rules:
Securely manage your eCommerce Admin panel:
Never use default or easy-to-guess login credentials. Keep track of suspicious logins to the Admin panel. If you notice logins from unknown sources, consider changing your password. Do not share your admin email address for customer support purposes.
Make sure to disable unwanted/internal/testing coupon codes:
According to CouponFollow, 78% of the retailers limit the coupon code run time to 1 day. However, do they make sure to clean up all the expired coupon codes?
Here is another real-life scenario of a valid Christmas coupon code used in August:
Use unique coupon code phrases without losing the advertisement concept:
Although the retailer would prefer a catchy phrase for a coupon, codes should not be easily predicted. Therefore, obfuscation can be a good solution. For example, “CyberMonday” could be rewritten as “Cyb3rM0nd4y” making a dictionary attack more complex.
Single-use coupon codes/one use per user:
Use a random coupon phrase and assign it to a specific customer account, valid for single use only.
Group-based coupon codes:
Limit coupon codes to a specific group of users (for example, the same geolocation).
Unauthenticated users should not be able to redeem coupons (at least not major discounts).
Set rate limits/attempt limits for a specific visitor and present a CAPTCHA after the specified limit is breached.
Implement strong input validation with an emphasis on possible SQL injection attempts.
Although those guidelines might seem obvious and elementary, many online retailers invest more in marketing and neglect the security aspect. The increasing popularity of coupon codes is reflected with an increasing threat rate and therefore should be strongly considered during the online retailer’s security risks assessment.
We would like to thank CouponFollow.com for the collaboration and for providing useful information.