Cyber Incident Victim: Jubilant FoodWorks
Date:
Dec 2016
Location:
India
Summary
Four individuals were arrested for orchestrating a digital shoplifting scheme involving e-commerce payment gateway vulnerabilities, resulting in fraudulent voucher acquisitions worth approximately Rs92 lakh. The group, led by a tech dropout, exploited weaknesses in a payment processor to manipulate transaction values during processing—reducing amounts like Rs5,000 to Re1—before finalizing payments. They utilized falsified credit cards and specialized hacking tools to target platforms including a voucher provider servicing entities such as Jubilant FoodWorks' Domino's Pizza. The fraud was uncovered after the affected voucher administrator reported discrepancies, enabling authorities to trace purchases to devices linked to the perpetrators' social media profiles, leading to their apprehension at a luxury hotel.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On December 30, 2016, representatives of gyftr.com—an e-commerce platform facilitating voucher sales—reported a cybercrime incident to Delhi's Hauz Khas police. The complaint detailed unauthorized voucher acquisitions worth ₹92 lakh (approximately $138,000 USD at the time) through systematic manipulation of payment processes. Investigations revealed that a group of four hackers, led by 18-year-old BTech dropout Sunny Nehra, exploited vulnerabilities in the PayU payment gateway integrated with gyftr.com. The attackers used credit/debit cards obtained via fake documents to initiate voucher purchases. During payment processing, they canceled transactions at the gateway's "do not refresh" stage, froze the page, and altered critical parameters using specialized hacking software. For instance, they modified a ₹5,000 voucher's value to ₹1 before completing the transaction. The compromised vouchers were then redeemed across multiple platforms including Jubilant FoodWorks' Domino's Pizza, MakeMyTrip, Flipkart, Amazon, Myntra, and Shoppers Stop. The group flaunted their illicit gains through luxury car rentals, discounted sales of high-end electronics to acquaintances, and stays at five-star hotels.
Delhi Police formed a special team that analyzed transaction records from affected platforms, identifying purchased devices like iPhones and iPads. Tracking these devices' IP addresses led investigators to Nehra's Facebook profile. On January 25, 2017, police arrested Nehra at a Gurgaon hotel and subsequently apprehended his three accomplices—two BTech dropouts and one BCA student—all aged 18. Forensic examination uncovered their use of a Dell laptop with 256GB RAM configured for hacking suites, along with collaborations with international hackers in the Netherlands and Indonesia to refine their techniques. The attackers had previously identified PayU's vulnerability to parameter tampering during payment processing. Financial losses were solely attributed to gyftr.com, which bore the liability for the manipulated voucher transactions. No data breaches or system compromises were reported at the voucher-redeeming platforms, as the fraud occurred at the payment gateway level prior to voucher issuance.