Four young hackers have been arrested for allegedly digitally shoplifting vouchers worth Rs92 lakh by tampering with the data of e-commerce websites at the payment gateway stage. Two of them are BTech dropouts, one is pursuing engineering while the other is a BCA from Delhi University, police said.
Calling it the first such case reported from the national capital, DCP (south) Ishwar Singh said these hackers used the stolen vouchers at popular e-commerce sites such as MakeMyTrip, Flipkart, Amazon, Dominos Pizza, Myntra and Shoppers Stop, among others, said police.
To avoid tracking, the accused never stayed in any place for more than two days, but they spent their time putting up at five star hotels, flying by expensive flights and spending incessantly on their girlfriends. They would ‘show-off’ their lavish lifestyle and offer expensive laptops and mobile phones for dirt-cheap to their friends on social media.
To come across as well-off persons, the four would hire cars like Mercedes and BMW while travelling with their girlfriends, said the DCP on Wednesday. The three 18-year-old arrested youths, led by the alleged mastermind, Sunny Nehra, had allegedly undergone extensive training in hacking and had tied up with professional hackers in India, Netherlands and Indonesia to learn the tricks of the trade. Nehra, a BTech dropout student, had obtained an additional expertise in looking for vulnerabilities in online payment sites. A few months ago, one of his hacker friends informed him that PayU, a payment gateway, was suffering from vulnerability and could be tested for “data tampering”, said the DCP.
Explaining the modus operandi, Singh said, Nehra and his friends would first opt for a purchasing an e-voucher from the website. Using credit or debit cards obtained on fake documents, the hackers would enter the card details and make the payment using the PayU payment gateway.
Once the payment was being processed, one is generally led to a page that asks not to ‘refresh’, ‘cancel’ or ‘go back’ until the payment is through.
It is at this particular point that these hackers would press the cancel button to “freeze” the page. Using their hacking skills, they would change certain values before again proceeding with the payment.