Holiday shopping and holiday phishing

November 21, 2018

November is the first month of the busiest shopping season of the year. It all begins on 11.11, otherwise known as Singles’ Day in China, which has since morphed into one of the largest online (and offline) shopping days in the world, Immediately followed by Black Friday, which falls on November 23rd this year. After that, Christmas and New Year head into view. It’s a great time for shoppers, with discounts and promotions at every turn. The downside to all the juicy offers? Many people drop their guard and become the easy prey of cybercriminals.

Phishing statistics

In recent years financial phishing has made up at least a quarter of all annual phishing attacks. In 2017, financial phishing exceeded half of the attacks.

Increase in the share of financial phishing in the last years

Increase in the share of financial phishing in the last years

The graph shows a steady rise in the share of financial phishing every year since 2014. Safe to say, we can assume that this upward trend will continue for the rest of 2018.

During the holiday sales period, the number of attacks targeting customers of online shopping and payment systems increases considerably. Our stats indicate that during this period, financial phishing accounts for an additional 10% share of all attacks. Outside the sale season, fraudsters favor banking clients.

On Singles’ Day, we saw a spike in the number of attempts blocked by our security solutions to redirect users from dangerous resources.

Number of blocked attempts to redirect users to phishing sites

Number of blocked attempts to redirect users to phishing sites

An upswing was recorded on November 9th, which is not surprising given that cybercriminals always start preparing in advance. Mass attacks are usually carried out shortly before the actual date of the sell-off.

Looking only at phishing attacks against clients of Alibaba Group, the main player in Singles’ Day, the trend is the same: a sharp hike upwards, about double compared to the average number of attacks in November.

Number of blocked attempts to redirect users to phishing resources mimicking Alibaba Group services

Number of blocked attempts to redirect users to phishing resources mimicking Alibaba Group services

11.11 Singles’ Day phishing

Cyber villains were well prepared for Singles’ Day — unofficially “World Shopping Day” — with numerous phishing sites ready and waiting.

Phishing aimed at the Alibaba marketplace and the major 11.11 news hook

Phishing aimed at the Alibaba marketplace and the major 11.11 news hook

For example, the above screenshot depicts a website using standard social engineering techniques: multiple mentions of “alibaba” in the URL to confuse inattentive or naive users, a copy of the company’s logo to add authenticity, and a flashy picture to divert attention. Below is another example of a similar phishing page.

A phishing website attempting to obtain Alibaba user account data

A phishing website attempting to obtain Alibaba user account data

US online giant, Amazon, matches Alibaba stride for stride in terms of both sales/promotions and cybercriminals looking to create fake versions of company sites.

Graph of blocked attempts to redirect Kaspersky users to Amazon-themed phishing sites

Graph of blocked attempts to redirect Kaspersky users to Amazon-themed phishing sites

Cybercriminals tend to use a similar formula on phishing attacks. Lucrative offers are first used as bait. But before the users can access the deal, they are instructed to fill out a form that asks for all their personal details. Address, phone number, etc. Once the form is completed, users are prompted to forward the link to their friends. Needless to say, the user never gets the deal: The victim is simply transferred from site to site, with countless pointless surveys.

Fraudulent site supposedly offering Amazon sell-offs

Fraudulent site supposedly offering Amazon sell-offs

Black Friday phishing

November 23rd is the official day for Black Friday, but many stores begin their discounts a few days early. Based on statistics, we expect to see an increase in phishing attacks the period before Black Friday. Additionally, there is a large number of registered (and thus far, dormant) sites like blackfridayscom.tld and black-fridaywalmart.tld. In the run-up to Black Friday, these websites are filled with content by cybercriminals looking to harvest personal and banking details of unsuspecting shoppers.

As a matter of fact, we have started to see phishing activity for Black Friday 2018. Fraudsters have started to send out mass phishing e-mails leading to fake sites, impersonating stores that currently offer Black Friday specials.

Phishing attack on users of Mercado Livre — a popular marketplace in Latin America

Phishing attack on users of Mercado Livre — a popular marketplace in Latin America

The domain name of this fake store posing as Walmart speaks volumes about the event it was created for. The site follows the typical phishing formula. It hooks consumers with an irresistible price on a brand new TV. Once the checkout process begins, consumers obligingly fill out forms with their confidential data and unknowingly send payment to a private online wallet.

Phishing page imitating Walmart's website

Phishing page imitating Walmart’s website

In regards to phishing e-mails, we found a fake Black Friday promotion offering a free two-month subscription to Netflix. Users who want to redeem the promotion are directed to a scam Netflix site, which prompts them to enter their credit card information and other personal information. This data goes to the attackers, while the victim of the fraud receives nothing in return. Instead of a free Netflix subscription, the user gets their bank account hacked.

Phishing resource posing as Netflix: request for banking and other confidential information

Phishing resource posing as Netflix: request for banking and other confidential information

Also ahead of Black Friday, various fake online stores are set up, offering mouth-watering discounts on global brands.

Phishing offer for a warm winter jacket from a popular brand at a crazy discount

Phishing offer for a warm winter jacket from a popular brand at a crazy discount

If something online sounds too good to be true, it most likely is. And that turns out to be the case here. Having put the goods in our basket, we proceeded to the checkout page. The website developers certainly did not scrimp on validation icons.

But in fact, these icons are non-clickable pictures. This should immediately alert the attentive user. Less vigilant visitors would fill out a standard delivery form and enter their payment information to complete the purchase. All this information goes to the fraudsters, and the warm winter jacket fails to materialize.

Scam page for stealing bank card data on the site of a fake store. The numerous validation icons are just pictures

Scam page for stealing bank card data on the site of a fake store. The numerous validation icons are just pictures

How to understand if a store is real or fake

  • Avoid stores registered on free hosting services.
  • Carefully study the URLs of pages with forms requesting confidential data. If the address consists of a meaningless set of characters or the URL looks suspicious, do not proceed with payment.
  • If the store website arouses any sort of suspicion, look up the site on WHOIS for information about how long the domain has existed and who owns it. If the domain is fresh and registered to some mystery entity, take your business elsewhere.

See the “Why phishing works and how to avoid it” post for more useful tips.

Safe shopping tips

  • Get yourself a special card for online purchases and don’t keep large sums of money on it.
  • Don’t visit shopping sites from links in e-mails, social media messages, and chat rooms, or by clicking/tapping advertising banners on suspicious sites.
  • Try to avoid using public Wi-Fi hotspots for shopping purposes; but if you have no choice, be sure to use a VPN, such as Kaspersky Secure Connection
  • Before entering personal information, make sure that you are on the genuine site. The address bar should contain the correct URL (check it very carefully), preceded by the letters “https” and/or a green padlock. If so much as one character in the domain name is wrong, don’t even think about entering any confidential data.
  • Use a reliable anti-phishing security solution — for example, Kaspersky Internet Security.