Black Friday is widely regarded as the beginning of the US (and increasingly global) Christmas shopping season. Cyber Monday, which comes three days later, was created to persuade people to shop online more. They are a huge boon for retailers, both online and offline, but also for cybercriminals.
As these “shopping holidays” approach, phishers are impersonating e-commerce and consumer brands and bombarding inboxes with fake deals and gift cards. They try to create a sense of urgency (“The deal expires at midnight!”), offer massive discounts, and even make an appeal to the customers’ better selves (“The profits of this activity will be donated to European refugees!”).
Each campaign, no matter which brand it impersonates, bypasses spam and security filers by using URL shorteners and redirectors, and hits the inboxes of thousands of potential holiday shoppers.
And the victims don’t even have to click on the “Buy” button included in the email to be redirected to the phishing sites mimicking that of the fake sender – the attackers are embedding malicious domain hyperlinks into every part of the email (images, text, etc.)
The phishing sites might not be exact copies of retailers’ and brands’ sites, but they look legitimate enough to users who don’t know better or are temporarily “blinded” by the good deals.
“The goal is to convince consumers to register or log into what they think is their real Amazon or Walmart account in order to receive a gift card. Sadly, no gift card or bonus bucks will be received, but instead consumers end up surrendering their account credentials — which can lead to all types of destructive behavior,” Barracuda Networks researchers warn.
“Cybercriminals can steal account credentials and log into these accounts, and both retrieve credit card information, additional personal information, and learn about a user’s shopping history for future social engineering attacks.”
They advise users to be extra careful when evaluating the legitimacy of Black Friday/Cyber Monday deals that land in their inboxes and to never click through them, even if they look genuine. “Go directly to the intended site and look for the product deal and avert possible threats,” they urge.
It’s also a good idea to stick to purchasing items from sites that send customers’ credit information over an encrypted connection (i.e. https).
Mobile users are a less likely to fall for this phishing approach, as they tend to use specific trusted apps for their shopping rather than going through websites. They are also less likely to visit fake, fraudulent stores impersonating popular brands.
Domain squatting and malware
Zscaler researchers have spotted observed multiple instances of malicious actors domain squatting “.blackfriday” TLDs.
“This domain is meant specifically for pages dealing with Black Friday sales, and is commonly used by various corporations to link to sales on their online stores or to Black Friday marketing content,” they explained.
Unfortunately, criminals are taking advantage of its existence, and register domains like gooogle[.]blackfriday to deliver both phishing pages and malware (often an information stealing Trojan)
Fake emails as way into the corporate network
“Generic” phishing emails are sent out indiscriminately, which means that potential victims might receive them through their business email accounts.
But, according to Zscaler, Black Friday-themed spear phishing emails are not unheard of.
“More sophisticated ‘spear-phishing’ attacks target individual users or organizations by mimicking a source that is unique to them, such as their employer or business associates. The combination of these spear-phishing techniques with Black Friday branding, especially when linked with phrasing that would suggest sales, bargains, or contests, can significantly increase the likelihood that targeted users will fall victim to the malicious campaign,” they pointed out.
In the example depicted above, the embedded application installs malicious software onto the victim’s computer.
Carbon Black researchers say that in 2016, organizations saw a +20.5% increase in attempted cyberattacks between November and December of 2016. If this trend continues in 2017, organizations should be extra vigilant as these attacks often begin around the Thanksgiving holiday, they noted.
“Users are specifically targeted during this time of year by malicious campaigns that offer timely incentives to clicking on web links and opening attachments. Research of known attacks shows adversaries using such topics as the danger of Christmas tree fires, delivery of gift cards, or just shipping notifications,” they shared.