Four young hackers have been arrested for allegedly digitally shoplifting vouchers worth Rs92 lakh by tampering with the data of e-commerce websites at the payment gateway stage. Two of them are BTech dropouts, one is pursuing engineering while the other is a BCA from Delhi University, police said.
Calling it the first such case reported from the national capital, DCP (south) Ishwar Singh said these hackers used these vouchers at popular e-commerce sites such as MakeMyTrip, Flipkart, Amazon, Dominos Pizza, Myntra and Shoppers Stop, among others, said police.
To avoid being tracked, the accused never lived in any place for more than a day or two, but they spent their time putting up at five star hotels, travelling by expensive flights and splurging on their girlfriends.
They would ‘show-off’ their lavish lifestyle and offer expensive laptops and mobile phones for dirt-cheap to their friends on a social media website.
To come across as well-off persons, the four would hire cars like Mercedes and BMW while travelling with their girlfriends, said the DCP on Wednesday.
The three 18-year-old arrested youths, led by the alleged mastermind, Sunny Nehra, had allegedly undergone extensive training in hacking and had tied up with professional hackers in India, Netherlands and Indonesia to learn the tricks of the trade.
“They had obtained special softwares that helped them go about their job. They even had a Dell laptop of 256 GB RAM configuration capable of supporting a particular hacking suite,” said an investigator.
Nehra, a BTech dropout student, had obtained an additional expertise in looking for vulnerabilities in online payment sites. A few months ago, one of his hacker friends informed him that PayU, a payment gateway, was suffering from vulnerability and could be tested for “data tampering”, said the DCP.
Nehra studied the website and soon realised that it allowed changes in parameters at the processing page. He then targeted a website gyftr.com from where one can buy vouchers.
Explaining the modus operandi, Singh said, Nehra and his friends would first opt for a purchasing an e-voucher from the website. Using credit or debit cards obtained on fake documents, the hackers would enter the card details and make the payment using the PayU payment gateway.
Once the payment was being processed, one is generally led to a page that asks not to ‘refresh’, ‘cancel’ or ‘go back’ until the payment is through.
It is at this particular point that these hackers would press the cancel button to “freeze” the page. Using their hacking skills, they would change certain values before again proceeding with the payment.
For example, if they were purchasing a voucher worth Rs5,000, they would edit the value to just Re1. Since they had already decoded the source codes of that page during the experimentation stage in the past, they were able to make the payment go through.
While the hackers then used these vouchers to buy products and services from different websites, the portal offering the vouchers was duped.
It was on December 30, 2016, that representatives of an e-commerce website that administers the website gyftr.com approached Hauz Khas police with a complaint that they had been duped of vouchers worth Rs92 lakh.
A special team constituted to crack the case obtained records from the portals whose services were used. That helped police identify certain iPhones and iPads that were purchased by the accused. “The IP addresses of these devices were tracked, leading police to the Facebook profile of Nehra,” said the DCP.
He was finally traced to a five star hotel in Gurgaon where he had been staying. At his instance, his friends too were nabbed.