Scam artists have been using hacked accounts from retailer Kohl’s.com to order high-priced, bulky merchandise that is then shipped to the victim’s home. While the crooks don’t get the stolen merchandise, the unauthorized purchases rack up valuable credits called “Kohl’s cash” that the thieves quickly redeem at Kohl’s locations for items that can be resold for cash or returned for gift cards.
KrebsOnSecurity reader Suzanne Perry, a self-professed “shopaholic” from Gilbert, Penn., said she recently received an email from Kohls.com stating that the email address on her account had been changed. Recognizing this as a common indicator of a compromised account, Perry said she immediately went to Kohls.com — which confirmed her fears that her password had been changed.
On a whim, Perry said she attempted to log in with the “updated” email address (the one the thief used) along with her existing password. Happily, the thieves had been too lazy to change it.
“Once I was logged in, I checked my order history to determine if any fraudulent orders were placed in the 20 minutes since I received the notification,” she said. “I wasn’t that surprised to see two online orders, totaling almost $700 each, but I was very surprised to see they were being shipped to my house and not some address I never heard of.”
Perry said she then contacted Kohl’s and gave them the two order numbers and the fraudulent email address.
“I explained what happened, and they were very helpful in canceling the orders, updating my email address, and resetting my password,” she said. “I told them I couldn’t understand why someone would hack into my account just to have a bunch of stuff shipped to my own address. I was trying to figure out what the criminal would possibly have to gain from the effort, but the service representative informed me that is actually a very common occurrence for them.”
Turns out, the criminal wasn’t after the merchandise at all. Rather, the purpose of changing her email address was to drain the account’s stored Kohl’s cash, a form of rebate that Kohl’s offers customers — currently $10 for every $50 spent at the store. The two fraudulent orders yielded $220 in Kohls cash total, which is emailed once the order is confirmed (hence the need to change the victim’s email address).
“Since the orders were being shipped to me, even though they were above the threshold for what my typical online spending behavior is, no red flags were raised on their end,” Perry said.
More interestingly, virtually all of the merchandise the thieves ordered to build up the account’s Kohl’s cash balance were bulky items: Three baby cribs, a stroller system and car seat, and a baby bath tub, among other items. Perry said Kohl’s told her that the thieves do this because they know bulky items usually take longer to return, and since Kohl’s revokes Kohl’s cash credits earned on items that are later returned, the thieves can spend the stolen Kohl’s credits as long as the owner of the hijacked account doesn’t return the fraudulently ordered items.
“The representative told me when these types of fraudulent transactions occur, the victim usually is unaware of it until the items arrive at their house,” Perry said of her conversation with the Kohl’s representative. “Since the items ordered tend to be large, it generally takes longer for a customer to be able to bring them back for a refund. Had I not questioned the email address change, the items would have shipped to me and the $220 in Kohl’s cash would have been long spent by the criminal before I had the opportunity to take the items back and rectify the situation.”
Perry said she was shocked by the scam’s complexity and sheer gumption.
“The people behind this are clearly making every effort to not only defraud an account, but also to inconvenience the affected customer as much as possible,” she said. “I think Kohl’s handled the situation well over all; the email notification of an account change is more than I get from some other online shopping sites, and they were able to cancel the Kohl’s cash. Still, I’m a bit surprised they aren’t doing anything to promote awareness among their customer base.”
Reached for comment about the apparent fraud trend, Kohl’s spokesperson Jen Johnson said the company “is aware of a limited number of cases where fraudsters have obtained login information from outside sources to make purchases to earn Kohl’s Cash.”
“We are always working to protect our customer shopping experience and will continue to look at ways to make it more difficult for fraudsters in the future,” Johnson wrote in an emailed statement. “Customer service is a top priority for Kohl’s and, as always, we will work with any customer who has had a less than optimal experience. As a best practice, we would encourage customers to regularly change their passwords and to not use the same password for multiple accounts.”
This type of fraud usually stems from customers picking weak passwords, or re-using the same password at multiple sites. However, Perry said she’s still mystified how the thieves were able to get hold of her password, which she said was an 11-character, three-word phrase that she didn’t use on any other site.
It’s unclear how much is lost annual to points and rewards fraud, but the industry is ripe for the picking: Loyalty program experts at Colloquy.com estimated in 2011 that some 2.6 billion loyalty memberships generated some $48 billion in rewarded points and miles.
Have you experienced similar fraud at merchants that offer rewards points or cash? Sound off in the comments below.