6 Real Black Friday Phishing Lures
As the mega-shopping day approaches, here's a look at six examples of phishing attacks - and ways to avoid taking the bait.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt9f2d1120366a54c2/64f0da345d2bd2023e862967/01-Page1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Black Friday is expected to attract 115 million physical shoppers, making it the busiest holiday shopping day during the Thanksgiving Day weekend, according to a National Retail Federation report. And phishers are looking to get a cut of the action on Black Friday.
Last year, for example, Black Friday alone racked up approximately 770,000 financial phishing attack attempts, according to Kaspersky Lab's Beyond Black Friday Threat Report 2017. RiskIQ, meanwhile, discovered 19,219 URLs with the words Black Friday directing users to another page with malicious content, according to its recently released 2017 Black Friday e-Commerce Blacklist report.
Black Friday phishing scams run the gamut of unethical merchants duping users into visiting bogus high-end retailing websites to sell them knock-off items at a "discount," to cyberthieves enticing users to visit malicious websites to steal their credit card and personally identifiable information.
“Cybercriminals use Black Friday to cover their attacks. They know that people are looking for a chance to buy expensive things at a much lower cost, so the phishers make sure they offer the best price, disguising themselves as well known and trusted brands," says Nadezhda Demidova, lead Web-content analyst at Kaspersky Lab.
Here are examples of six real Black Friday phishing campaigns launched in the past month and one from 2015, and how to avoid falling for these types of attacks.
The Hook: Ray-Ban Black Friday phishing campaign offered 80% off regular prices.
Attackers' Technique: Used SEO poisoning to push their bogus Ray-Ban landing page link, www.rayban-outlet.us, to the top of Google searches when Ray-Ban and Black Friday were entered as keyword searches, says Deepen Desai, senior director of security research at Zscaler. Once users clicked the link, they were automatically redirected to www.rb6.us. In an effort to make the fraudulent page look more authentic, the attackers even placed two reviews on each item with a five-star rating, Desai says. Users were then asked to either create an account or sign-in to the bogus Ray-Ban site.
Cyberthieves' Purpose: Stole personally identifiable information (PII), such as first and last name, address, phone number, and email address, as well as credit card information and Facebook credentials, Desai says. Users also had the option of using their Facebook credentials to log into the bogus Ray-Ban site.
Avoiding the Bait: One telltale sign that a website may not be legit is to view its URL, Desai says. In the Ray-Ban case, the website claimed to be the official Ray-Ban site, but its URL was www.rb6.us, he notes. "Users should go to the official Ray-Ban site and make their purchase there," he says.
The Hook: Neuberger Berman phish offered a range of free merchant gift cards to users who filled out registration forms.
Attackers' Technique: Created a bogus free gift-card offer using a fake Neuberger Berman financial services website. Cyberthieves asked users to download a gift card registration document to fill out. But the malicious document, an HTML application file that used VBScript content, dropped and executed info-stealer malware, Zscaler notes in its report.
Cyberthieves' Purpose: Pilfered users' names, passwords, and online credentials.
Avoiding the Bait: "Whenever users open a document and see a button they are supposed to click on to see more content on another document, then 100% of the time it is a malicious document," Desai says. Usually, he adds, legitimate attachments allow users to view all of the content upon downloading and opening the attachment.
The Hook: Bogus Apple iPhone giveaway lured contestants with free iPhone 6.
Attackers' Technique: Fake Apple email called on users to participate in a Black Friday contest to win a free iPhone 6. But users needed to enter their personally identifiable information into the form. While this particular phishing campaign took place in 2015, Desai says he anticipates similar Black Friday phishing campaigns will emerge for the recently released iPhone X.
Cyberthieves' Purpose: All the PII information in the campaign was sold to other attackers in underground forums, Desai says. "In at least one case, I saw users were also asked to pay for shipping fees to send the device to them. A small percentage of them fall for this financial scam," he notes.
Avoiding the Bait: Users should study the domain name carefully when they get emails with Black Friday offers that appear to be too good to be true, Desai says. Although tier 3, or top level domain (TLD), names, such as .blackfriday and .blackfridaysale, are legal, Desai cautions users to be skeptical. Attackers and unethical merchants can't register domain names that are already taken, such as apple.com, but they are free to use something similar like apple.blackfriday, he adds. "I would check the domain name and see who the site is registered to and then see if they are on Apple's list of authorized dealers," advises Desai. Websites like Whois Lookup allows users to punch in a domain name to view the registrant.
The Hook: A free, preloaded Amazon gift card to users who registered for Black Friday rewards.
Attackers' Technique: A bogus Amazon website prompted users to sign into their account or create a new one, in order to participate in an Amazon Black Friday preloaded gift card offering, says Fleming Shi, senior vice president of technology for Barracuda. In addition to asking for users' PII, the attackers tried to instill a sense of urgency by stating users needed to unlock the malicious Amazon Gift Card by midnight if they planned to use it on Black Friday.
Cyberthieves' Purpose: "They ask for your Amazon log-in information and then go into your Amazon account," Shi warns. "Once they're in your account, they can get a lot of your information." The attackers also wanted to sell victims' PII on the Dark Web, he says. In this particular campaign, there were 30,000 Black Friday phishing incidents that Barracuda addressed over several days, Shi says. Phish attackers have also used similar ploys for Kohls Gift Cards and Walmart Gift cards.
Avoiding the Bait: Check for the gold shield certificate in the upper left hand corner, or a lock in front of the URL, which can be clicked on to verify the name of the website, Shi says.
The Hook: Steep 80% Black Friday discount offered on fake Michael Kors handbags.
Attackers' Technique: Users were lured with phishing emails to a bogus Michael Kors website, where they found bargain basement prices for the retailer's high-end handbags. The fake Michael Kors site was aimed at duping users into believing they were purchasing designer goods, when in reality they are receiving knockoffs, says Shi.
Cyberthieves' Purpose: These unethical merchants were engaged in "brand hijacking" by selling knockoff Michael Kors merchandise, Shi says, and the Michael Kors phishing incidents reached 100,000 users. Other similar fraudulent phishing scams included Ugg and Pandora, which generated 2,000 phishing incidents each.
Avoiding the Bait: "This Michael Kors phish was obvious. There was no certificate on the site," Shi says. Also, "The Michael Kors website they used looks cheesy and it doesn't even have the same logo as the real website." Part of the problem is users frequently purchase items from third party websites, such as Amazon.com, and do not have a sense of the retailer's real website, Shi surmises. "If they went to the real Michael Kors website, they would have caught this," he adds.
The Hook: Steep 80% Black Friday discount offered on fake Michael Kors handbags.
Attackers' Technique: Users were lured with phishing emails to a bogus Michael Kors website, where they found bargain basement prices for the retailer's high-end handbags. The fake Michael Kors site was aimed at duping users into believing they were purchasing designer goods, when in reality they are receiving knockoffs, says Shi.
Cyberthieves' Purpose: These unethical merchants were engaged in "brand hijacking" by selling knockoff Michael Kors merchandise, Shi says, and the Michael Kors phishing incidents reached 100,000 users. Other similar fraudulent phishing scams included Ugg and Pandora, which generated 2,000 phishing incidents each.
Avoiding the Bait: "This Michael Kors phish was obvious. There was no certificate on the site," Shi says. Also, "The Michael Kors website they used looks cheesy and it doesn't even have the same logo as the real website." Part of the problem is users frequently purchase items from third party websites, such as Amazon.com, and do not have a sense of the retailer's real website, Shi surmises. "If they went to the real Michael Kors website, they would have caught this," he adds.
Black Friday is expected to attract 115 million physical shoppers, making it the busiest holiday shopping day during the Thanksgiving Day weekend, according to a National Retail Federation report. And phishers are looking to get a cut of the action on Black Friday.
Last year, for example, Black Friday alone racked up approximately 770,000 financial phishing attack attempts, according to Kaspersky Lab's Beyond Black Friday Threat Report 2017. RiskIQ, meanwhile, discovered 19,219 URLs with the words Black Friday directing users to another page with malicious content, according to its recently released 2017 Black Friday e-Commerce Blacklist report.
Black Friday phishing scams run the gamut of unethical merchants duping users into visiting bogus high-end retailing websites to sell them knock-off items at a "discount," to cyberthieves enticing users to visit malicious websites to steal their credit card and personally identifiable information.
“Cybercriminals use Black Friday to cover their attacks. They know that people are looking for a chance to buy expensive things at a much lower cost, so the phishers make sure they offer the best price, disguising themselves as well known and trusted brands," says Nadezhda Demidova, lead Web-content analyst at Kaspersky Lab.
Here are examples of six real Black Friday phishing campaigns launched in the past month and one from 2015, and how to avoid falling for these types of attacks.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024