Slide Show: Top 10 Holiday Phishing Scams
The following scams demonstrate the ways attackers are crafting their messages during the holidays
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/bltc94608acf452fd67/655cf371ab171e040a838b2a/329050_DR23_Graphics_Website_V5_Default_Image_v1.png?width=700&auto=webp&quality=80&disable=upscale)
Not everyone is full of cheer and goodwill this holiday season. In fact, many cybercriminals are planning on taking advantage of people's high spirits to trick them into divulging information, clicking bad links, and opening malicious attachments. All it takes is the perfect combination of persistence and smart social engineering:
Now's the time of year to participate in office pools on holiday bowl games--and the bad guys are hoping to jump in on the action. Watch out for phishing scams trying to play to your urge to watch games online.
"The spam messages claim to offer ways to watch live streaming video of American football games, which have been posted by bogus or compromised Facebook accounts," says Beth Jones, senior threat researcher for Sophos Labs U.S. "Clicking on the links will take you to a Web gage which asks you to hand over your email address, claiming that you will be sent a program that will allow you to watch live streaming video of football games."
There's nothing like cute images to convince people of the legitimacy of a scammy spam message. In this case, Santa's waving at them to convince them that they've gotten a Secret Santa gift through a malicious site.
"Recipients of this email should Google the domain of the sender of the email address," warns Norman Sadeh, CSO and co-founder of Wombat Security Technologies. "If this is not a legitimate site, the email should be deleted or reported to their IT department if they received it in their business email inbox."
Attackers are crafting up messages this holiday season that convinces recipients that the email in question includes an attached iTunes gift card. Of course, the attachment is the bad guys malware payload, not a pay day for the dupe.
"Malware included as an attachment in an email remains the most common and most effective attack facing this season's cyber shoppers," says Adam Powers, CTO of Lancope. "Cash-strapped holiday shoppers will jump at the opportunity to get something for nothing, especially when it's a re-giftable item such as an iTunes gift card."
It might give you the warm-and-fuzzies to receive e-cards from a special someone, but phishers love to prey on that feeling by using the prospect of such a missive as a way to lure people to malware-ridden sites.
"In this example, the domain name in the from email address doesn’t match the domain name in the URL. We recommend that a user delete this e-card and not take the risk of opening it," says Norman Sadeh, CSO and co-founder of Wombat Security Technologies.
Researchers warn users to be wary of emails or Facebook posts offering free gift cards out of the blue or in return for completing surveys. Often these surveys are trolling for sensitive information the crooks can use to steal your account information.
"The screenshots illustrate a recent Facebook scam for a free £150 gift card from Morrisons. Users have to share the page and comment 'Thanks!' At that point, another gift card for Argos appears, which launches a scam survey form," says Beth Jones, senior threat researcher for SophosLabs U.S.
Mobile marketers are utilizing quick response (QR) codes to give consumers a way to use their smartphone barcode scanner to quickly link to a site with more information on something or even for coupons. But the bad guys are taking advantage of QR codes as well.
"We’re seeing QR codes, or quick response codes, everywhere these days from product packaging to magazine ads to display cases. Around the holidays, consumers will often scan QR codes with their smartphone to find shopping deals on holiday gifts," says Gary Davis, director of consumer product marketing for McAfee. "Unfortunately, however, cybercriminals are also using QR codes -- to embed malicious links that take consumers to malicious sites, rather than to the great shopping deal they were expecting."
An old favorite trick of phishing crooks is to trick users into thinking a recent direct deposit, ACH transfer, or other bank transaction didn't go through in order to get them to open a malicious attachment supposedly containing transaction details. With consumers worried about ready cash for holiday shopping and travel, these malicious messages are likely to resonate with more victims. Don Jackson, director of the Counter Threat Unit at Dell SecureWorks, has seen many of these messages continuing to circulate this holiday season.
"While these occur throughout the entire year, they are particularly effective right now, as everyone is eager to get their gifts that they ordered online, and will often freak out if they think there's a problem and forget common sense safety measures," says Rod Rasmussen, president and CTO IID (Internet Identity). "Here is a picture of typical malware attached e-mail that showed up in my own mailbox this morning. The payload was only detected by 6 of 43 A/V products according to VirusTotal. So this is likely to infect most people who open it."
Since just before Thanksgiving, there's been an uptick in phishing email exploits related to online travel bookings. Shown here are two examples of fraudulent emails posing as airlines that take advantage of holiday travel trends.
"The American Airlines example, after a few redirects, eventually points to a BlackHole exploit kit. The kit fires a barrage of exploits until it successfully injects malware (Bugat) onto the victim’s computer. Once installed, it uses grabbing and keylogging techniques to capture credentials for Facebook and various bank accounts, and reports this data back to a Command & Control (C&C) server," says Lance James, director of intelligence at Vigilant. "[The Delta example] uses the same technique described above, and also executes a secondary payload Cutwail spambot that enables it to spread further. In this case, one interesting effect – though probably unintended – is that it caused users of tripit.com to inadvertently advertised on social networking sites trips they were 'planning' to take that they had not actually scheduled."
Cheery folks looking to deck the halls and the desktops are in for a shock when they find out that the site they downloaded that holiday screensaver from was actually a malicious site.
"Bringing holiday cheer to your home or work PC sounds like a fun idea to get into the holiday spirit, but be careful," says Gary Davis, director of consumer product marketing for McAfee. "A recent search for a Santa screensaver that promises to let you 'fly with Santa in 3D' is malicious."
Cheery folks looking to deck the halls and the desktops are in for a shock when they find out that the site they downloaded that holiday screensaver from was actually a malicious site.
"Bringing holiday cheer to your home or work PC sounds like a fun idea to get into the holiday spirit, but be careful," says Gary Davis, director of consumer product marketing for McAfee. "A recent search for a Santa screensaver that promises to let you 'fly with Santa in 3D' is malicious."
Not everyone is full of cheer and goodwill this holiday season. In fact, many cybercriminals are planning on taking advantage of people's high spirits to trick them into divulging information, clicking bad links, and opening malicious attachments. All it takes is the perfect combination of persistence and smart social engineering:
Now's the time of year to participate in office pools on holiday bowl games--and the bad guys are hoping to jump in on the action. Watch out for phishing scams trying to play to your urge to watch games online.
"The spam messages claim to offer ways to watch live streaming video of American football games, which have been posted by bogus or compromised Facebook accounts," says Beth Jones, senior threat researcher for Sophos Labs U.S. "Clicking on the links will take you to a Web gage which asks you to hand over your email address, claiming that you will be sent a program that will allow you to watch live streaming video of football games."
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024