A Wisconsin man faces up to 20 years in prison and a $250,000 fine, after admitting to stealing nearly $100,000 worth of unsuspecting shoppers’ Kohl’s Cash coupons, in order to sell them online via his Twitter account.
Federal prosecutors announced yesterday that 35-year-old Robert Gordon of Weston, Wisconsin has pleaded guilty to wire fraud and trafficking access devices. He admitted to hacking into Kohl’s shoppers’ accounts over an 11-month period ending in May, and stealing their Kohl’s Cash. Shoppers earn Kohl’s Cash discount certificates by making purchases, and can use them for discounts off future purchases, in store or online.
Instead, Gordon managed to log into users’ accounts and empty their Kohl’s Cash balances. Prosecutors said he used hundreds of Kohl’s Cash certificates to buy things for himself, and sold thousands more online at 50% of their face value.
And he did this out in the open, on Twitter. Using the account @OfficialJigLord, Gordon publicly advertised his services. “Specialize in Steals, Deals, and Jigs!” the account promised, as eager followers paid him $50 for $100 worth of Kohl’s Cash, or $250 for $500 worth, and so on.
But the “jig” was up, after someone tipped off Kohl’s. “This account @OfficialJigLord steals customers’ info and sells their Kohl’s Cash on Twitter,” the tipster said. “Just check out his tweets and you will see for yourself. Let me know if there’s anything I can do to help you catch him. Something needs to be done.”
Kohl’s agreed – and began investigating. The retailer examined the Twitter account, and the photos of receipts and Kohl’s Cash coupon codes that were posted, and managed to trace the account and the IP address to Gordon. “By comparing that IP address against records of logins to Kohl’s website, Kohl’s found that the IP address appeared to be connected to identity theft activity,” the criminal complaint explained. Over a period of several months, Kohl’s found that “several thousand login attempts to Kohl’s webstore were made from that IP address,” using “different, unique usernames and passwords to try to access the website.”
Kohl’s concluded that Gordon had set up his computer to automatically run a script, using “a database of email addresses and passwords, possibly stolen from another source,” and was “bombarding Kohl’s website with these credentials… A small percentage of the login attempts were successful and Kohl’s Cash certificates and their corresponding information (bar number, PIN number, etc.) was exfiltrated from the user’s account.”
In other words, Gordon had apparently accessed thousands of email addresses and passwords stolen from other online accounts, and used his computer script to rapidly try them out on Kohl’s website to see if they’d work there. “These types of credential stuffing campaigns are successful only when individuals reuse the same username/password combination for multiple online accounts,” prosecutors cautioned.
“Customers have complained about the loss of their Kohl’s Cash,” Kohl’s explained. “Kohl’s was able to determine that the customers’ Kohl’s Cash was used by persons connected to @OfficialJigLord’s activities.” Kohl’s reimbursed those shoppers, while @OfficialJigLord and his customers went on a spending spree.
Kohl’s found that Gordon and his wife Diana had made dozens of purchases on Kohl’s website and in local stores, using about $10,000 worth of stolen Kohl’s Cash. The other $90,000 worth was sold online.
@OfficialJigLord also sold customer rewards apparently stolen from other retailers, including American Eagle, Chick-fil-A, Qdoba, ULTA, Chipotle, Starbucks, Shell, Bath & Body Works, IHOP, Panera Bread and more. But there’s no record of those retailers notifying authorities about the thefts.
Kohl’s, however, did notify the authorities, who subsequently arrested Gordon, a Staff Sergeant and active reserve member of the U.S. Army, along with Diana Gordon, also a member of the Army Reserve. Back in August, prosecutors reached a deferred prosecution agreement with Diana Gordon for her role in the scheme, which will allow her to avoid punishment if she meets certain unstated conditions.
Robert Gordon, however, will not be able to enjoy such leniency. He’s due to be sentenced in January. And his former customers, in the meantime, will have to go back to obtaining their Kohl’s Cash the old-fashioned way – by earning it.
