Cyber Incident Victim: Amazon.com Inc.
Date:
Dec 2016
Location:
India
Summary
A group of hackers manipulated payment gateway vulnerabilities to tamper with e-commerce transactions, targeting a voucher provider platform. By exploiting weaknesses in the PayU payment system during transaction processing, they altered payment values—such as changing a ₹5,000 voucher purchase to ₹1—using fake credit cards and specialized software. The fraudulently obtained vouchers were then used to acquire goods and services from multiple platforms, including Amazon, resulting in significant financial losses for the voucher provider. The perpetrators, who flaunted lavish lifestyles funded by the scheme, were apprehended after authorities traced digital footprints from purchased devices to their social media profiles and physical locations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In late December 2016, representatives of an e-commerce platform administering gyftr.com, a voucher distribution website, reported a sophisticated fraud case to Delhi's Hauz Khas police. The complaint, filed on December 30, detailed how attackers had manipulated payment processes to steal vouchers worth ₹92 lakh (approximately $138,000 USD at the time). The criminal group, led by 18-year-old BTech dropout Sunny Nehra, exploited vulnerabilities in the PayU payment gateway system. Nehra had received specialized training from hackers in India, the Netherlands, and Indonesia, and used custom software alongside a high-performance Dell laptop with 256GB RAM configured for hacking operations. The attackers first identified that PayU's payment processing page allowed parameter modifications during transactions. They would initiate purchases using credit/debit cards obtained through fake documents, proceed to the payment confirmation screen, then intentionally cancel the transaction to freeze the page. During this frozen state, they altered critical values—such as changing a ₹5,000 voucher purchase to ₹1—before completing the transaction. These manipulated vouchers were then redeemed across multiple e-commerce platforms including Amazon, Flipkart, MakeMyTrip, and Dominos Pizza for high-value goods and services.
The attackers maintained an extravagant lifestyle funded by their activities, frequently staying at five-star hotels, renting luxury vehicles like Mercedes and BMWs, and purchasing premium electronics. This conspicuous consumption ultimately facilitated their detection. A police special team analyzed purchase records from the affected platforms, tracing specific iPhone and iPad devices bought with the fraudulent vouchers. Digital forensic examination of these devices' IP addresses led investigators to Nehra's Facebook profile, which displayed his lavish expenditures. On January 25, 2017, authorities arrested Nehra at a Gurgaon hotel and apprehended three accomplices—two additional 18-year-olds (one engineering student and one BTech dropout) and a Delhi University BCA student. The investigation revealed the group deliberately avoided fixed residences to evade detection, changing locations every 1-2 days. While gyftr.com bore the direct financial loss from the voucher manipulation, secondary impacts extended to partner platforms like Amazon through the redemption of fraudulent vouchers for merchandise. Police characterized the operation as Delhi's first reported case of large-scale digital shoplifting via payment gateway exploitation.