Black Friday Shoppers Targeted By Scams and Fake Domains

Cybercriminals are tapping in on Black Friday and Cyber Monday shoppers with an array of scams and malware – including domain impersonation, social media giveaway scams, and a malicious Chrome extension.

Black Friday and Cyber Monday-related scams are nothing new — but researchers warn that this year,  they are seeing an uptick in scams using more sophisticated methods to lure users to hand over their payment data.

Research released Tuesday by ZeroFOX uncovered some of the threats that attackers are using to tap into the Black Friday shopping craze, including social-media scams and domain-impersonation scams. These scams are either stealing credentials or payment data from unsuspecting shoppers, or distributing malware onto their systems, said researchers. And they’re using tricks to target the most victims as possible, including purporting to be exclusive, limited-time free giveaways offerings, or telling victims they need to further share the scam on social media in order to unlock further deals.

“We do tend to see an uptick each year in scams that are targeting consumers as the holidays roll around,” Ashlee Benge, threat researcher at ZeroFOX, told Threatpost. “I thought it was interesting that in particular, a lot of the giveaways are more sophisticated than they have been in years previously…. they are using more of these lure words that instill a sense of urgency in potential victims.”

Listen to the Black Friday podcast below or download direct here.

Below is a lightly-edited transcript of the Threatpost Podcast

Lindsey O’Donnell Welch: Hi, everyone and welcome back to the Threatpost Podcast. It’s Thanksgiving week here in the US and with Thanksgiving comes Black Friday and Cyber Monday. And everyone in the U.S. knows that Black Friday and Cyber Monday are incredibly lucrative targets for hackers. So we’ve got Ashlee Benge, Threat Researcher at ZeroFOX to discuss Black Friday scams, malware and phishing trends. Ashley, thanks so much for joining me today.

Ashlee Benge: Yeah, no problem. Thank you for having me.

LO: Yeah. So we’re going to discuss a new report that ZeroFOX had released actually today that track these types of scams and malware. So just to get started, can you give us the methodology and background of this report, what did you guys track and specifically look for?

AB: Sure, so using our security platform, we were actually able to go ahead and pull in a whole bunch of data from all the sources that we usually scrape from. And so in particular, we were looking at 26 different brands that range from brick and mortar retail stores, to electronics brands to luxury goods, kind of trying to get a feel for a range of different retailers and range of different types of consumers. And so then in that data set, pulling from all these social media sites, as well as paid sites and things along those lines, we looked for scams that were related to Black Friday, we actually found a ton. We identified over 60,000 and then in particular, we identified a bit over 10,000 that were using Black Friday, as kind of a hook to try and get people to click on these scams.

LO: Right, yeah, I think that’s one thing that stood out to me for the report was just the sheer number of scams that you guys discovered. I think like you said it was over 61,000. And that was just between November 1 and November 20, right?

AB: And it’s not super surprising. I think this is something we see every year. You know, obviously, consumers are just as savvy as as attackers are. And so if attackers are able to capitalize on a holiday to try and make people click, taking advantage of that sense of urgency that people have when they start their holiday shopping, they know that they’re probably going to be more successful. And so it kind of does match what what we would expect there.

LO: So what were the various brands that you guys had tracked? And, you know, on that note, what was the most lucrative ones that hackers are really targeting?

AB: Sure. So we actually saw that the primary target of most of these attackers was brick and mortar stores. So this was large brands that have a physical store. Some of the bigger ones would be Walmart and Target. And we also saw that electronics bids were also highly targeted. So Apple was one of the bigger ones. We also saw in the luxury brands that we were looking at, Tiffany Jewelry was a big one. And the luxury goods were actually a smaller percentage of the overall scams we identified. The vast majority were targeting brick and mortar stores at 92%. And it does make sense, this matches what we would expect given that a larger number of people are probably going to be shopping at a traditional brick and mortar store versus looking for really high end jewelry or other luxury goods. And then in addition, brick and mortar stores usually are carrying a diverse type of goods. So they may also be carrying high end goods or jewelry or electronics on top of other offerings. So we did see that primarily scammers are targeting those big brick and mortar store.

LO: Yeah, I mean, that definitely does make sense. Although I was surprised that online marketplaces like Amazon, I was thinking they might be more popular. But you guys do mention in the report that they were more targets of kind of impersonated domains for those online stores. So I guess that would also make sense. But in terms of scams, what were some of the scams that you guys saw that were working and were they specifically mentioning, you know, Black Friday, Cyber Monday, what were some of the top hooks there?

AB: So usually the way that these scams work, and the majority of the ones that we identified, was that there was a social media post of some kind. And Twitter and Facebook are both really big for this because the content tends to be more public. And in this post, they would use some kind of catchy graphic. And usually, these types of scams are offering something for free. And usually it’s a gift card or some kind of free good that they’re pretending like they’re going to give away. And so if people who fall victim to these scams click on a link to some kind of external domain, they are then prompted to enter varying levels of personal information: everything from an email, to an address to credit card information, in the hopes of being entered to win some kind of free good. And so this is kind of clever for attackers to do this on social media, because if you use hashtags, especially on Twitter, you’re actually able to search by those hashtags. And so attackers are able to make their scams much more public than they otherwise would be because they’re actually indexing them into these searches. And so, we saw often that these were, you know, something that were scams that were pretending to give something away for free. And because of that, it does make sense that the brick and mortar retail stores were targeted more often in these types of attacks. We also did quite a bit of research into domains that were impersonating big brands in the group that we looked at for this study. And there, we saw that Amazon and Apple were actually impersonated most often, which given the type of store that Amazon is, where it only has that online presence, would seem to match what we would expect, where it would probably be personated most often in that domain. So overall, something for nothing being offered a majority of the time. And you know, that really kind of drives a lot of people falling for these scams because the holidays are impending. A lot of people are trying to do their shopping. And that’s a really attractive idea, if you have a lot of a lot of people to buy gifts for that you could maybe get a free gift card to kind of help you out with that shopping.

LO:  I think that the social media hook here is is really interesting because I feel like you’re right the use of those hashtags like #giveaway, #CyberMonday are obviously going to increase kind of the audience that is targeted. And we’re seeing that too just in general as well like with if you remember the cash app giveaway scam, that’s was kind of going, definitely seeing that a lot and then also like Bitcoin giveaway types of scams. But I’m curious did you see any types of scams that were specifically targeting people via email via phishing? Or was it mostly on social media?

AB: In this case, mostly social media. A lot of these giveaway scams I think you could almost classify as phishing attacks in the way that they’re impersonating these brands. And so oftentimes in that external website that was linked to in the original social posts, a lot of the the images and the branding around the giveaway forms was intended to look like it was coming from the actual manufacturer of the goods and so one of the more common ones we saw with phones, both iPhone and also Samsung Galaxy phones, were often offered in these giveaway scams, and a lot of the branding there is directly ripped off from the legitimate site. And so they’re impersonating the brand in such a way to make it look more attractive and more realistic. And this, of course helps these attackers get more personal information out of their victims, because if it looks like it’s coming from that legitimate brand, then people are more likely to actually put in their credit card information even though there’s not really any good reason for it.

LO: Yeah, when you were looking at these impersonated domains for you know, Apple or Amazon or Target, how sophisticated were they? They probably were using the brands but were there any kind of telltale signs or red flags on on these types of domains or were they just super sophisticated?

AB:  Most of the time, they’re not actually particularly sophisticated. There’s usually a little bit of a tell in the in the actual design of the site where it’s just not up to par with the graphics you come to be accustomed to from legitimate websites. And so if you have experience looking at the real site, if you’ve seen that before, and you would probably be able to tell that you weren’t on that site. But if you’ve never seen the official website for the page, then it probably wouldn’t seem that suspicious to you. But we in general, these are not as sophisticated as you would maybe expect. And I think a lot of that has to do with these attackers just intending to blast as many of these pages out as possible, hoping to get that kind of like numbers game in place where even if it’s not a particularly good impersonation, someone somewhere will click on it if they have, 60,000 of these going as we saw.

LO: Right, and you guys also pointed out to some of the suspicious words to look out for on these domains that might serve as sort of clues or breadcrumbs that these are malicious sites. And those included phrases like I think you said, “login,” “verify” “verification,” things like that. So that’s definitely something to look out for too. And, you know, with a lot of these landing pages, a lot of these sites don’t even have a login or people haven’t ever signed up before. So that could definitely be a telltale sign too. So I thought that was interesting.

AB: Right. And we also see often that they really stretch that there’s a limited time period for these giveaways. And if you ever see something with a banner that says something like “exclusive offer” or “limited time only,” you know, there are legitimate cases where that’s used, but a lot of the time, it’s really just intended to instill that sense of urgency in potential victims so that they feel pressured to put in their information.

LO: Right. And then in terms of malware, is there any malware that you’re seeing in the marketplace right now that are related to Black Friday scams or just kind of an increase in the holiday shopping in general? I know that point of sale malware is always a big one. Anything else you’re seeing out there?

AB: Yeah. So one of the most  interesting things that came out of this research was actually a malicious Chrome extension that we identified. And so this Chrome extension was being pushed by a domain that was impersonating Walmart. And before the site would let you navigate to the landing page, it threw a pop up that requested you install this so called private browsing extension. And when we took a look at this extension, it actually had over 60,000 installs, suggesting that a lot of people had actually fallen for this scam. And if you took a look at the reviews, it became pretty obvious even without doing an in depth analysis of what the extension was doing, that it was malicious. And we actually saw even reviews that indicated that the people who had fallen for it, had actually been extorted by the developers and the developers had told them that if they didn’t give up their social security number that they would shut down and hack the victims’ computer and the victim felt like they were forced to ultimately give away this information. And so that was definitely concerning. I’ve never really seen an instance of direct extortion like that. And so I think the number of installs and the fact that the developers are actually going as far to do that indicate how severe that is.

LO: Wow. Yeah, that is definitely, especially the 60,000 installs. That’s pretty high number of installs there. And so this was stemming from an impersonation domain for Walmart? And then what would the user have to click on something or some sort of lure and then it would install the Chrome extension? Or what was the attack vector there?

AB: Correct. So the user would click on the on the impersonating domain of Walmart. And the first thing that the user would see was a pop up that they actually had to install this extension in order to be able to navigate to the site. And if you clicked on on the link to go install that browser extension you would then be directed to this so-called “private browsing extension” that the impersonating site was claiming would allow them to browse to it. And so the impersonating site was actually luring people into installing this Chrome extension.

LO:  That’s definitely a malicious application there.

AB:  Right. Yeah, I don’t think there’s any legitimate use case for that.

LO:  I’m curious too when you look at the findings in your report, do you have any sort of comparison to how this is in compared to previous years? I mean, would you say that malicious activity has ramped up at all when it comes to Black Friday or Cyber Monday? Or are there also any new trends in terms of how these scams are launched or how malware has evolved that may have impacted Black Friday cyber criminal activity this year at all?

AB:  So we do tend to see an uptick each year in scams that are targeting consumers as the holidays roll around. I thought it was interesting that in particular, a lot of the giveaways are more sophisticated than they have been in years previously. And they’re still not operating at a particularly high level of sophistication. But they are using more of these lure words that instill a sense of urgency in potential victims. A lot of times we also see those malicious hashtags being used where attackers are savvy that their posts are being indexed by the social media sites, and they’re taking advantage of that indexing in order to push them in greater numbers. And I think we’re also seeing an uptick in the way these things are shared on social media, because oftentimes with the giveaways, after users input their personal information, they’re also indicated that they have additional chances to get more entries if they share the posts on social media.

And so attackers are not only fishing for sensitive information from their victims. They’re also getting their victims to share these posts, which makes them more likely to be seen by the victims’ connections on social media. And so they’re actually taking advantage of people in two ways where they’re getting those personal information that personal information can be used to, you know, devastate someone financially or for further malicious attacks, depending on the attackers’ goals, but also they’re getting their victims to push these scams and potentially having their friends scammed as well.

LO: Right. So they’re really doubling down there. That’s really interesting and a big threat to be looking out for. What would your top advice be to consumers who are about to go do their holiday shopping online in terms of looking out for some of these scams or some sorts of malware in the wild right now?

AB: I think the biggest thing that people can keep in mind is that if something seems too good to be true, it probably is. And I know that’s not a particularly new or exciting adage, but it does hold up over time I think because attackers are using the holidays to promote these scams and they know that people are intending to spend money. And if you are not, you know in a financial position to be spending as much money as you would like, or you have a huge gift list that you’re trying to fill, you may be more likely to fall for these scams. And so they’re taking advantage of that sense of urgency in order to push these. And I would also say that if you are looking to find the actual website of the company you tend to do some online shopping with, it’s really important to verify that the domain matches what you would expect. And so if you were to try and purchase something from Target, say, and you were to navigate to a domain that looks anything different from the actual target domain, it’s probably malicious. And if you are entering a giveaway because there are cases where giveaways are legitimate. If you ever asked for anything outside of your email address, it’s probably a scam, there’s not really any reason for giveaways to be asking for your social security number or credit card information. And so it’s really important that people exercise discretion in order to avoid being scammed.

LO: Great. Well, those are really important points to keep in mind as we enter the holiday season. So Ashlee, thank you again for joining us on the Threatpost podcast to talk about some of the biggest takeaways from your research in terms of scams and phishing and malware and all that other malicious activity.

AB: Yeah, thank you very much for having me. Appreciate your time.

LO: Great. And for everyone else. Thank you for listening to the Threatpost podcast today. Please take these pieces of advice into consideration while you go about your Black Friday and Cyber Monday shopping and have a great Thanksgiving.

Also, check out our podcast microsite, where we go beyond the headlines on the latest news.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.