Updated on November 19 with a new Kaspersky report warning that Black Friday online shopping threats are now surging as attacks intensify.
A serious new warning has just issued for web users ahead of the holiday season, with a dangerous new threat campaign that will lure millions of users into visiting websites that are not what they appear. Before you go bargain-hunting this Black Friday and Cyber Monday, make sure these websites do not ruin your holiday season.
This newly disclosed threat campaign “leverages the heightened online shopping activity in November, the peak season for Black Friday discounts,” EclecticIQ’s research team warns, with the scammers successfully stealing “cardholder data, sensitive authentication data and personally identifiable information (PII).”
The team attribute the campaign to the threat actor SilkSpecter, which it says leveraged legitimate payment processing providers to steam, credit card details. Not only did the scammers craft discount lures and URLs to manipulate search results, but they also “enhanced the phishing site’s credibility by using Google Translate to dynamically adjust the website’s language based on each victim’s IP location, making it appear more convincing to an international audience.”
Whether you use Chrome, Safari, Firefox or Edge—which between them account for 93% of the global browser market share, there are some telltale signs that will help you spot malicious sites before it’s too late. These phishing domains “predominantly use the .top, .shop, .store, and .vip top-level domains, often typosquatting legitimate e-commerce organizations’ domain names to deceive victims.”
While the lures are blatant, with “80% off” tags to entice shoppers, such too good to be true deals are not quite so apparent during the holiday sales. The attacks are cleverly designed, with the scammers even deploying the same web trackers used by legitimate retailers, “including OpenReplay, TikTok Pixel, and Meta Pixel, to monitor the effectiveness of the attacks by collecting detailed activity logs from each visitor.”
The amount of data collected by such websites is dangerous, and includes phone numbers that “could enable attackers to conduct vishing (voice phishing) or smishing (SMS phishing) attacks, deceiving victims into providing additional sensitive information, such as 2FA codes… By impersonating trusted entities, such as financial institutions or well-known e-commerce platforms, SilkSpecter could very likely circumvent security barriers, gain unauthorized access to victim’s accounts, and initiate fraudulent transactions.”
As victims shop, their data is transmitted to an external server creating a treasure trove of valuable data that can be further mined beyond the initial lure.
While the attacks target US and European online shoppers, this is very much a Made in China campaign. The Content Delivery Network (CDN) that hosts the fraudulent imagery and other components are hosted in China, the sites themselves were hosted on Chinese infrastructure and the domains “were tied to specific Autonomous System Numbers (ASNs) and domain registrants connected to Chinese companies.”
The team has published a list of known malicious domains:
- northfaceblackfriday[.]shop
- lidl-blackfriday-eu[.]shop
- bbw-blackfriday[.]shop
- llbeanblackfridays[.]shop
- dopeblackfriday[.]shop
- wayfareblackfriday[.]com
- makitablackfriday[.]shop
- blackfriday-shoe[.]top
- eu-blochdance[.]shop
- ikea-euonline[.]com
- gardena-eu[.]com
But beware—there are upwards of 4,000 malicious domains, and so shoppers are advised to be careful when clicking on “URLs with themes like ‘discount,’ ‘Black Friday,’ or similar sales events. Additionally, look for the specific path ‘/homeapi/collect’ and domains incorporating ‘trusttollsvg’.”
This follows a similar report earlier this month, with Human Security’s Satori’s finding threat actors driving traffic to fake web shops “by infecting legitimate websites with a malicious payload… creating fake product listings and adding metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer.”
Trend Micro offers these other danger signs for holiday shoppers to watch for:
- Too-Good-to-Be-True deals
- Poor design, typos, and insecure payment methods.
- Lack of or Suspicious Contact Info
- Lack of secure Payment options like credit cards.
- Unclear Return or Shipping
To frame the sheer scale of these threats as we enter the holiday season, Kaspersky has just issued an alarming report into “scammer Black Friday offers: Online shopping threats and dark web,” which should be required reading—at least the highlights—before holiday shoppers venture out onto the online ice.
The firm’s security researchers have already detected almost 200,000 “Black Friday-themed spam messages” since the beginning of the month, with this year proving to be something of a boom year for scammers. “In the first ten months of 2024,” the team warns, “Kaspersky identified more than 38 million phishing attacks targeting users of online stores, payment systems, and banks.”
And with a nice, holiday-themed twist, Kaspersky has also found that even “dark web sellers offer Black Friday discounts, just like regular shops.” Suffice to say, if you have concerns about regular online shopping and falling victim to scams, playing around on the especially thin ice of the dark web is definitely not for you.
Unsurprisingly, Kaspersky reports that “phishing and scams are among the top threats for online shoppers. Fraudsters often create fake websites, emails or ads that closely resemble those of legitimate retailers. Given that shoppers are often busy or distracted, they may not take the time to carefully review links or emails, which makes them more vulnerable to these threats.”
Equally unsurprisingly, according to Kaspersky the Black Friday threat is only getting worse. “Since many retailers rely on email to promote upcoming sales ahead of the holiday season, cybercriminals often exploit this by sending fraudulent messages with links to scam websites.”
Just as with SilkSpecter, Kaspersky finds that “scammers often impersonate major retailers like Amazon, Walmart or Etsy with deceptive emails to lure unsuspecting victims. These emails typically claim to come from the companies themselves and promote exclusive discounts, especially during high-traffic shopping periods like Black Friday. For example, one spam campaign circulating this year falsely claimed that Amazon’s “special buyers team” had handpicked top items not to miss, offering an exclusive sale of up to 70% off. Emails like this are designed to exploit the urgency and excitement of seasonal sales to trick consumers into clicking potentially dangerous links.”
The team also echoes the SilkSpecter warnings, with “financial phishing and scams that fraudsters run during the Black Friday season, including fake pages that mimic bank websites, payment systems such as PayPal, Visa or Mastercard, and online stores such as Amazon, eBay or AliExpress, [targeting] victims’ login credentials and payment information or tricking users into transferring money to the scammers.”
Of all the threats intercepted by Kaspersky’s platform thus far in 2024, almost 40% “attempted to impersonate e-shops,” albeit the phishing threat directly targeting banking customers for their credentials was even more pervasive.
As the FBI itself has warned, “if a deal looks too good to be true, it probably is! Steer clear of unfamiliar sites offering unrealistic discounts on brand-name merchandise. Scammers frequently prey on Black Friday and Cyber Monday bargain hunters by advertising ‘One-Day Only’ promotions from recognized brands. Without a skeptical eye, consumers may end up paying for an item, giving away personal information, and receive nothing in return except a compromised identity.”
Read the full article here
