What to expect from mass discounting and shopping days: threat horizon for Black Friday and Cyber Monday EN

What to expect from mass discounting and shopping days: threat horizon for Black Friday and Cyber Monday EN

Hello readers!

Pay close attention to today's post because we bring you an article about the cyberthreats that we can face these next days of Black Friday and Cyber Monday!

The large volume of purchases and acquisitions made over the Internet during sales periods or during festive periods are a favorable environment for cybercriminals to launch cyberattack campaigns, mostly aimed at obtaining users' banking information, such as credit card numbers, expiration dates, CVV and so on. This is the reason for the proliferation of fraudulent websites that impersonate all kinds of companies related to the distribution chain of the most demanded products. With the arrival of Black Friday on November 24th and Cyber Monday on the 27th of the same month, it is worth reminding users of some of the most common scam attempts that take place during these days in order to be able to identify them in time and thus avoid becoming victims of a cybersecurity incident. It should be noted that, during these dates, it is quite common for cybercriminals to make use of social engineering to lure potential victims to offers related to products, services or jobs that end up being false. Specifically, this is achieved mainly through the use of slogans or graphics that are particularly appealing to users, such as "Black Friday sale", "Cyber Monday 75% discount" or "90% discount on top brands".

Regarding the scam methods most commonly used by cybercriminals during these dates, without a doubt, fraudulent emails or SMS messages continue to stand out, through which they distribute phishing websites or malware payloads to lists of users, generally in bulk, so that they can be executed on their personal devices, thus obtaining personal and/or banking information related to the victims. Specifically, within this type of scam there are several types of lures, such as fake delivery notifications, fake raffles or fraudulent gift cards.

Firstly, fake delivery notifications usually impersonate the most popular parcel delivery companies, such as Correos, Amazon or UPS, by sending users e-mails claiming to have a package that is awaiting delivery. In order for this supposed package to be delivered, the e-mail informs potential victims of the need to make a prior payment, for which purpose they are provided with a link to an external website where, as a general rule, they must enter their bank information (card number, expiration date and CVV).

Illustration 1. Fake delivery notification email

Secondly, sending fraudulent text messages or emails informing users of a supposed raffle they have won is also one of the most common methods of scamming at this time of year. In these messages, the attackers impersonate a well-known company, Amazon in the case of the following example, assuring the victims that they have won an alleged raffle that they will carry out by accessing a link provided in the body of the email or SMS. Once users have accessed this URL address, cybercriminals usually redirect them to phishing websites where they will ask them for their personal and/or banking information under the premise of needing certain data to receive their prize or will urge them to download a document that probably contains a payload that will be implemented on their devices in order to collect sensitive information.

Illustration 2. Text message about false raffle

On the other hand, the most common types of scams distributed through email or SMS during periods of mass purchases include fraudulent gift cards. In this case, the attackers impersonate well-known companies from different fields such as Carrefour, SHEIN or Samsung, among others, and send users a message inviting them to answer a short survey in exchange for a gift card from the brand concerned. After answering this brief questionnaire, users are redirected to a final website where they are asked to fill in a form with their personal and/or bank details in order to receive the supposed card. In this regard, it is also common that, instead of offering a gift card, cybercriminals refer to the purchase of a promotional product of a specific brand, such as Samsung or Apple, at a ridiculous price.

Illustration 3. Supposed Carrefour gift card

Finally, due to the high number of online orders placed during this time of year, attackers have also turned to another type of scam, fake order messages, which bear a close resemblance to fraudulent delivery notifications. On these occasions, criminals send a large number of potential victims text messages or emails stating that the alleged order could not be delivered or that it has been suspended because certain information about the delivery address or some user data is missing. In order for the supposed package to be delivered, they provide users with a URL address where a form to be filled in with personal and/or bank details will appear. The main difference with respect to fake delivery notifications is that in fake order messages the attackers do not ask for payment in exchange for delivery of the supposed package, but may ask the user for any other information of interest, such as email address or telephone number.

Illustration 4. Fraudulent order suspension message

On the other hand, it is common at this time of year for users to look for the best deals and prices for their purchases, therefore attackers often create fraudulent websites in which they impersonate a particular brand or directly fake websites in which they offer items for a much reduced amount or considerably less than its retail price, which is tremendously attractive to potential buyers. Once users have selected the items they are interested in, they are redirected to the payment portal where they must pay the corresponding amount in exchange for their alleged purchase. On this website, victims typically enter their first and last name, email address, telephone number, physical address and banking information, including credit card number, expiration date and CVV. Once payment is made, they may receive an email confirmation of the alleged purchase, which is never delivered. Thus, cybercriminals will not only have obtained their bank details and, as a result, possibly part of their financial assets, but also sensitive personal information that may pose a risk to their personal and digital security, since the exposure of certain data such as telephone number or physical address may lead to other criminal activities, such as identity theft.

Illustration 5. Fraudulent website that impersonates The North Face

Another of the most common scamming methods at this time of year are fraudulent websites, this time distributed through payment platforms such as Google Ads. Through this channel and for a very low price, cybercriminals ensure access to a large number of potential victims, since they use SEO positioning techniques to ensure that these ads have a high degree of observability. As a general rule, in these ads users see supposedly great offers on items that might be of interest to them, therefore they access the ad concerned and are redirected to a fraudulent website where, if they make the purchase, they will not buy any item but will provide the attackers with both their personal and financial information.

Illustration 6. Fraudulent Google Ads advertisement

Similarly, due to the high volume of work expected during Black Friday or Cyber Monday, companies tend to publish numerous temporary job offers, a fact that cybercriminals take advantage of to develop other actions. Specifically, the attackers are in charge of developing fake job offers that they distribute on different job search portals, such as InfoJobs or LinkedIn, through emails and even through social networks and instant messaging applications such as WhatsApp or Telegram. In such offers, they impersonate well-known companies such as supermarket chains or physical stores and invite users to access links and fill in forms with their personal and/or banking information using their insertion in a quick selection process as a lure.

Illustration 7. False job offer impersonating Mercadona

It should also be noted that another way in which attackers often try to obtain users' personal information is through fraudulent phone calls, a method known in today's threat ecosystem as vishing. The types of deceptions and premises that cybercriminals can use in this way are many and varied, ranging from offering users a service at a reduced price to impersonating the human resources staff of a given company to offer supposed jobs, thus becoming another initial access vector that complements the previous frauds. As in the previous cases, vishing is another type of attack based on social engineering in which the attackers, using the various lures described above, try to obtain users' personal and financial information.

Finally, another method that, although it has not yet been widely used during this period, is beginning to have a major impact on the current threat landscape is QRishing. QRishing combines the terms "phishing" and "QR code" and is a technique that consists of distributing phishing websites, malware payloads, fraudulent applications and, in general, fraudulent content to users through previously manipulated QR codes. As a relatively new technique, many users are still unaware of its existence and operation, which increases the likelihood that they will become victims of this type of security incident. It should be noted that manipulated QR codes can be distributed through virtually any medium, whether emails, SMS messages with URL addresses that redirect victims to fraudulent content, fake websites and even physically through advertising leaflets, letters from bars and restaurants, stickers placed on the street or at the entrance of stores offering discounts and so on. In this regard, QR code scanning that redirects users to download fraudulent applications is also considered to be an important link in this campaign, as attackers could advertise certain applications offering supposed discounts to users in exchange for installing them on their personal devices and then deploy malware payloads or collect sensitive information by abusing permissions. For all these reasons, QRishing could become an attractive option for cybercriminals trying to use the Black Friday and Cyber Monday theme as a lure in their latest cyber threat campaigns.

Illustration 8. Example QR code used in bars and restaurants

It is also worth noting that, in recent years, multiple specialized threat actors have been identified who target their cyberattack campaigns against customers of a specific company, such as companies like Amazon, Netflix or Booking. In these instances, actors create Telegram channels in which they offer for sale fraudulent content created specifically to impersonate a particular entity and which can be purchased by malicious third parties. In these Telegram channels, attackers can sell content from different companies at the same time or be focused on only one, as can be seen in the following examples. This fact explains why a whole cybercriminal ecosystem specialized in specific organizations, periods and holidays has proliferated, since threat actors with more experience in this scenario can generate and develop the tools and content necessary for the execution of the fraud and rent or sell them to others with less experience.

Illustration 9. Telegram channel that offers fraudulent content from various companies

Illustration 10. Telegram channel offering fraudulent Amazon content

Therefore, after having highlighted the most common types of incidents and due to the wide variety of attacks that could be carried out during Black Friday and Cyber Monday, a set of basic recommendations are provided to users in order to avoid becoming victims of this type of security incidents:

- In relation to fraudulent e-mails and SMS messages, users are advised not to access links of unknown origin or provide personal and/or banking information through them. It is important to remember that financial institutions will never request sensitive data outside their official communication channels. Likewise, it is recommended not to download any type of file of unknown origin to personal devices and to block any sender identified as suspicious in order to avoid receiving new messages or e-mails.

- With regard to vishing incidents, it is strongly recommended not to answer calls from unknown telephone numbers or, in case of answering, not to provide personal or banking information to third parties through this means, being specially cautious in the exchange of information with strangers during periods such as those referred to here. Likewise, it is urged to include unknown telephone numbers that try to make repeated communications in spam lists or block them in the mobile terminal so that they cannot make calls again.

- With regard to QR codes, it is advisable to pay particular attention during the events to visualize the link to the website to which each code redirects prior to accessing it, since this practice would allow the user to avoid entering unwanted websites. To this end, it is essential to combine awareness-raising activities that make it possible to understand the risks associated with this cyber threat with the incorporation of preventive measures such as, for example, disabling the functionality on cell phones that allows the automatic opening of links contained in QR codes and the performance of any other automatic action, such as downloading an item or connecting to a network. It may also be useful to make use of legitimate applications that allow the user to observe the address to which the QR code refers before leading the user to it. In this way, the user will be able to verify that they are actually entering the right place.

- On the other hand, if the QR code requests something in particular that may not correspond to the purpose it is supposed to serve, such as leading to the download of an application or requesting sensitive information, the open window should be closed and the appropriate authorities or incident response teams, as well as the organization whose code has been tampered with, should be informed. However, even if the QR has a similar function to the one it claims to perform it is also advisable to carry out additional checks, for example, in the case of a QR intended to advertise the download of a mobile application, it is advisable for the user to check whether the download is from an official website (Google Play or Apple Store) or from a third-party platform, as well as to observe the total number of downloads and their reputation.

- In addition, it is advisable to be suspicious or even reject information cards and pamphlets containing QR codes that are distributed by unknown individuals, usually in the form of gifts, to advertise a service or establishment. Similarly, it is advisable not to scan any QR code located in places that should not have them for no apparent reason and that are found by the user by chance, such as on poles, lampposts or billboards.

- Finally, cybercriminals often superimpose fake QR codes on top of the official one, so it can be an advantage to manually check that it has not been tampered with or attached to another one.

- If you have provided personal and/or financial information through any of these means, it is recommended to contact the relevant authorities as well as the corresponding banking entity so that they can take the appropriate measures in this regard.

And this is the end of today's post. We hope you found it useful and that you liked it, and don't hesitate to share it so that it reaches more people! 

See you next time!

Raquel Puebla González e Itxaso Reboleiro Torca, analistas de ciberinteligencia en Innotec Security

Itxaso Reboleiro Torca