Fraudsters have come up with a new way of monetizing loyalty program points. They began to use special programs - bots, which are massively registered on the websites of retail chains, cafes, delivery services, imitating real users. Such fake accounts receive welcome bonuses, birthday points or various promotions. And then anyone can buy these points in special Telegram chats: there are both schemes with orders of specific goods at a reduced price and with the sale of points. Interviewed lawyers note that such activity is outside the law: it may qualify as embezzlement in the form of fraud, since points under the terms of retailers are intended for real people, not bots.
How points are stolen
Since the beginning of 2025, cybersecurity companies have been contacted by retailers and online services that suffer losses due to a new fraudulent scheme of stealing points from loyalty programs, IT market participants told Izvestia.
Most online and offline stores have programs with bonus points, reminded Anton Chemiakin, head of the analytical department of Servicepipe. And accrual can be linked not only to the amount of purchases made.
- For example, you can often find welcome bonuses for new customers or bonuses in honor of a birthday. Points are also awarded within the framework of marketing campaigns, for example, "Bring a friend". Bonuses can also be used to pay for different percentages of purchases, sometimes the whole purchase," the expert explained.
And it is these points or bonuses that become the target of attackers. They develop programs-bots that register on company websites seemingly real new customers and receive bonuses. The bots take phone numbers from databases that have leaked into the network. At the same time, all security systems are easily bypassed - if the registration requires entering a code from an SMS, the bot simply enters tens of thousands of variants until it guesses the right one.
-If bots are highly active on resources that are not protected from such attacks, the botmaster can "earn" a large number of bonuses from various players," Anton Chemyakin added.
Cases of such a scheme have become widespread, confirmed iTPROTECT information security expert Eugenia Galushko.
How money is withdrawn
To earn money on the points received, clever citizens create special Telegram channels, chats, and pages in social networks, said Anton Chemyakin.
- They publish messages in the style of "Promocode from the store "Cats" to buy 500 rubles for only 50 rubles" or an offer to order coffee with delivery for 400 rubles for only 100 rubles," the expert explained.
If the points are awarded in the form of a promo code, the attackers can simply sell it - they received it for free. If the bonuses are tied to a specific customer account, the bot will make the order itself. This scheme is relevant for supermarkets, clothing stores, online movie theaters, music services and sites selling tickets to various events, Izvestia has verified. Customers buying through such a chat room replenish the wallet linked to it, and then spend the money to purchase discounts.
"When buying in the bot, you are given a store card, a promo code, an account or something like that. Everything comes with detailed instructions on how to use it," they promise users of one of them (spelling retained).
Such bots have their own bonus program. For each friend brought in, users are promised 5% of their deposits to the wallet linked to the bot.
"Believe me, it is enough sometimes even a couple of acquaintances to call to buy from us then at their expense. And if you invite a lot of people and you accumulate a large balance, you can even withdraw it. This is how you can organize a passive income," - said the creators of chatbot (in particular, more than 30 thousand people are registered in it).
Sometimes at a discounted price, attackers immediately purchase goods and then resell them, but cheaper than on the original site, thus cashing in part of the points, said the head of information security department of the group of companies "Garda" Victor Ievlev.
The income of bot owners can be dozens of times higher than the cost of creating and operating such programs, said Anton Chemiakin.
-Large players with a wide network across the country suffer from such bot attacks, because in this case it is easier for bot owners to monetize their activities, " he said. - Among the victims of attackers there are also companies widely represented in one region.
"Izvestia" sent a request to large retailers, representatives of catering with a request to share how they counteract such threats.
What other schemes exist
There are a lot of fraud schemes with vendor bonuses, assured in cybersecurity companies.
- For example, we became aware of cases when fraudsters stole points from Pyaterochka cardholders, " said Viktor Ievlev. - Also in different stores there are cases when cashiers themselves cheated with cards and deducted data from the owners. They asked to pay for the purchase in cash allegedly because of a terminal freeze, but at the same time they deducted points for the purchase.
Also, according to him, the source of vulnerability for writing off or transferring points to the account of fraudsters can be mobile applications.
- Hackers have learned to re-bind activated loyalty cards to any phone number. And in applications with cards users often set weak passwords, attackers use simple brute force to hack into personal accounts and steal bonuses or points, - the expert emphasized.
A few years ago there were mass cases of stealing bonus miles from airlines. Hackers hacked into users' accounts and spent their miles to buy airline tickets, said Alexander Dmitriev, CEO of Neuroinform.
-A vulnerability was also discovered in one of the stores, which allowed to rack up points, and until the vulnerability was closed, the company lost several million rubles, " he emphasized.
In another case, he said, attackers registered a new account on the website of an online store with a fake e-mail.
- After authorization, they wrote a script that went through the personal accounts of all the store's users and checked for points. As a result, the attackers found a sufficient number of accounts with a large number of points. And bought goods on behalf of this account, paying most of them with points, and giving the rest in cash when receiving the goods," the expert revealed the scheme.
There are more cases of points theft because, firstly, bonus programs have appeared in most stores and services, and secondly, the number of hacker attacks in general has increased, he believes.
Is it possible to prosecute "bot drivers"?
Thesituation when attackers use automated means to register fake accounts to get points is a vivid example of illegal activity in the digital economy, says Artem Evseev, counselor of the intellectual property practice of the EBR law firm.
- Such schemes, in which bots imitate real users to receive bonus points, may qualify as embezzlement in the form of fraud. Yes, bonus points are not formally cash or any other asset. But with the help of this asset the user can buy real goods, - he noted.
So far there is no separate normative act regulating bonus programs and loyalty cards as an independent object of law, he added. However, in such cases, general norms of consumer, civil and criminal law, namely articles on fraud and misappropriation of other people's property, may be applied.
- In addition, it is possible to be held liable for violating the terms of the user agreement, which is the basis of the relationship between the retailer and its customers. This will make it possible to block the user's account and apply other response measures to him," he said.
If bots use automated systems to register and receive points, this may be additionally qualified as unlawful access to computer information (Article 272 of the Criminal Code of the Russian Federation), added Yuri Mirzoev, CEO of the Mitra National Law Company and member of the Board of the International Association of Lawyers and Consultants.
When attackers, not having the right to acquire bonus points or discounts, use them unlawfully, it creates signs of causing property damage to the owner - by deceit or breach of trust, prohibited by Art. 165 of the Criminal Code of the Russian Federation, added Ekaterina Kharchenko, senior lawyer at Criminal Defense Firm.
But in this case, according to her, the prosecution will have to prove that there is a serious difference between the economic turnover of the company under the conditions of unlawful seizure of competitive points and without it.
Why bonuses benefit merchants
Bonus programs especially with game elements are a powerful tool for business that increases customer engagement and encourages them to come back again, explained independent PR consultant Denis Goldman. This allows to increase the average check and frequency of purchases.
- Investments in such programs pay off if the mechanics are well thought out. Gamification should motivate customers to spend more, not just collect points for the sake of discounts," he emphasized.
It is important to monitor the economic model of the program to avoid situations when business is forced to give out too generous bonuses without a real increase in profits, the expert stressed.
- To minimize such risks, it is important for businesses to establish clear rules for the use of bonuses, limit their validity period and implement mechanisms to protect against fraud," he said.
To increase the security of bonus programs and their resistance to bot attacks, it is important to implement multi-factor authentication and complicate the registration process, stressed Eugenia Galushko.
- It is also worth thinking about the introduction of a system for analyzing user behavior, the expert believes. Bots, even the most advanced ones, often give themselves away by unnatural and too fast for a human actions, " she said.
Modern systems make it possible to track this, the expert assured.
Sellers should not only improve technical means of protection against automated registrations and the use of bots, but also revise the terms of loyalty programs to minimize legal loopholes that allow attackers to profit, added Artem Evseev.
Переведено сервисом «Яндекс Переводчик»
