According to court records, the brothers were members of FatWallet.com, an online coupon and shopping site that offers cash back incentives for purchases, and paid cash back rewards to the brothers for purchases on Nordstrom.com.
The brothers found a way to exploit a flaw in Nordstrom’s online ordering system, by placing orders that would ultimately be blocked by Nordstrom, with no merchandise being shipped or charges being made to their credit card. However, Nordstrom continued to compensate FatWallet for the orders, and the brothers received the cash back credit from FatWallet.
While the U.S. Attorney’s office did not provide technical details on how the brothers executed the fraud, business logic attacks like this abuse the functionality of a program, as opposed to an application or server vulnerability which is common for many attacks.
In total, the U.S. Attorney’s office said that from January 2010 through October 2011, the brothers placed a whopping $23 million in fraudulent orders through Nordstrom.com, resulting in Nordstrom paying $1.4 million in rebates and commissions to the fraudsters. More $650,000 in fraudulent cash back payments were made directly to the brothers.