Holiday Scam Season Is Here for All Shoppers
The holiday shopping season is in full swing, with Black Friday and Cyber Monday just around the corner, and scammers have been getting ready to cash in from their fraud campaigns.
While some fraudsters target the online landscape fooling shoppers with lookalike domains, others focus on customers of brick and mortar retail stores.
The latter take advantage of the flood of legitimate discounts to trick potential victims into giving information that could be used for attacks all year round.
Targeting brick and mortar store customers
Researchers at ZeroFOX combed the internet for holiday-themed fraud campaigns and found more than 60,000 potential scams, most of them aimed at consumers in the market for regular products that do not fit the luxury category.
The cybersecurity company noticed that the scammers attracted victims with the promise of gift cards, giveaways, discounts, or coupons.
Since user data was the coveted prize, all cybercriminals had to do was create an appealing post directing victims to malicious websites.
According to ZeroFOX, this type of post is likely advertised found on social media and digital platforms.
The link in the post above leads to a landing page with multiple fake giveaways. The poor design of the page should serve as a warning, and so should the request to input personal information such as phone number, gender, date of birth, and street address.
Most of the keywords likely to lead to a retail scam that were noticed by the researchers during their study are related to gift-giving. However, posts from unknown accounts on social media that contain ‘holiday,’ ‘Christmas,’ ‘Thanksgiving’ or Black Friday and Cyber Monday should also be regarded with suspicion.
“In order to increase visibility, scammers often leverage hashtags in their posts, like #blackfriday, #cybermonday, and #giveaway. This makes these posts more likely to be shown to social media users, based on the social platform’s algorithms, and also makes them searchable. Similarly, scammers may leverage fake accounts to like and share or retweet these scam posts, giving them more legitimacy” – ZeroFOX
Online shoppers also at risk
Cybercriminals diversify their activity and create fake websites for popular brands. ZeroFOX researchers filtered 124,000 domains containing a brand name by the certificate issuer to determine how many were imitating a legitimate business.
Of the 26 brands selected for the report, Apple, Amazon, and Target were the most impersonated. Other big names in the same situation are Tiffany, Sony, Samsung, and Microsoft.
The number of fake websites popping up during the holiday season is on the rise this year, researchers from Check Point note in a report today. Compared to 2018, they observed a %233 increase in phishing URLs for online stores this year.
ZeroFOX says that the fraudulent domains they found can be spotted as they typically combine specific keywords (‘login,’ ‘verify,’ ‘free,’ ‘deal,’ ‘verification,’ ‘coupon’) with a call to action like logging in or verifying an account to continue. Some of the words
The researchers note that they did not check all the domains that came up during their search but the probability of them serving content is high since they all had a TLS certificate, which requires extra effort.
A small sample of the websites was verified, though, and the results were expected: phishing, giveaway/coupon scams, and some dubious Chrome extensions.The extension in the image above was served from a domain that impersonated Walmart and had more than 60,000 installations and many negative reviews.
Caution during the holiday season is well recommended by security researchers as cybercriminals are getting more creative by the year. It is easy to impersonate a popular brand these days but not becoming a victim is not that difficult.
A legitimate giveaway does not normally ask for more information than a contact detail, most of the time an email address, ZeroFOX notes. If more details are requested, chances are it is a scam.
Some advice to avoid falling to a scam:
- Be mistrustful of deals that are too good to be true. Huge discounts delivered over email from unknown senders are likely bait for a scam.
- Domain names for popular brands that have spelling errors or mistakes are not genuine
- Don’t click on links in emails or social media posts; instead, search the web for a brand’s legitimate website to browse the deals available
Read the original article courtesy of BleepingComputer.com.