With Thanksgiving and Black Friday quickly approaching, the holiday shopping season has begun to ramp up for consumers worldwide. Retailers rely on the holiday weekend to drive sales (and profits!) - with deals beginning as early as Thanksgiving Day and lasting well into what has now been deemed Cyber Monday. Just like consumers, however, scammers are also prepping for holiday activities. These scams put consumers and retailers alike at risk of information exposure and financial loss.
In preparation for this annual barrage of holiday scams, the ZeroFox Alpha Team has deployed the ZeroFox Platform to collect hundreds of thousands of posts, pages, domains, certificate transparency logs, websites and chatter related to Black Friday. Our goal in doing this `war room` activity was to uncover how cybercriminals use holidays such as Black Friday in order to defraud, scam or attack internet users and capitalize on retailers’ brand and revenue potential.
ZeroFox Alpha Team Finds Scams Targeting Retailers of All Shapes and Sizes
Between November 1 and November 20, 2019, ZeroFox identified 61305 potential scams across 26 brands selected for this report. When broken out among these brands, we observed that the vast majority of these scams targeted customers of brick and mortar retail stores. Smaller percentages targeted electronics brands and online marketplaces. Only small fractions of a percent targeted luxury brands and jewelry brands.
Scammers likely target brick and mortar retailers in such high quantities because these kinds of scams will be attractive to a larger pool of consumers and thereby potential victims. Fewer consumers are in the market for luxury goods and high end jewelry than are shopping at large brick and mortar stores that appeal to multiple price points. Brick and mortar stores also carry a wide range of goods, from electronics to jewelry, versus stores that only sell one kind of good.
These kinds of scams generally offer victims "something for nothing," in the form of a giveaway, giftcards, or some kind of discount or coupon. Users are urged to input personal information, usually at minimum their email and physical address, to be entered to win a giveaway or giftcard, or to receive a coupon. Although these scams operate year-round, they also capitalize on gift-givers during the holiday season, exploiting the season to instill a sense of urgency in prospective victims. Of the retail scams we analyzed during this work:
- 11741 contained language related to gift-giving
- 4593 contained the word “holiday”
- 637 were specifically related to Black Friday or Cyber Monday
- 353 mentioned "Christmas" or "Thanksgiving"
- 554 scams took advantage of charitability, and included the word "donate."
Black Friday scammers gain traction through fake accounts and hashtag hijacking
In order to increase visibility, scammers often leverage hashtags in their posts that they know consumers are using to identify deals and offers, like `#blackfriday`, `#cybermonday`, and `#giveaway`. This makes these posts more likely to be shown to social media users, based on the social platform's algorithms, and also makes them searchable. Similarly, scammers may leverage fake accounts to like and share or retweet these scam posts, giving them more legitimacy.
Above is one such example of a gift card scam. Clicking the link in this post takes users to a poorly designed landing page, where several giveaways are advertised. Clicking through to one of these giveaways redirects users to a phishing page, which requests a selection of personal information.
Online shopping and electronics lead the pack in suspicious domains
If brick and mortar retailers dominate scams on social and digital platforms, online shopping and electronics are the number one targets for suspicious domains. ZeroFox Alpha Team found 124,000 domains that contain the brand name out of the list of 26 selected for this report. The team filtered the 124,000 domains by Certificate Issuer for legitimate domains and found that Apple, Amazon and Target are the top impersonated domains within the bunch:
Spot a Black Friday scam through keywords
Many of these domains contain keywords that indicate it could be used for phishing or abuse. This is generally combined with a call to action, especially with phishing attacks, to trick the user that they must login or verify their account to continue.
Since these domains were retrieved from the certificate transparency log, their probability of serving content is higher than a registered or parked domain since generating a TLS certificate is an additional step when setting up attack infrastructure.
Chrome extensions allow scammers to quickly spread malware
Alpha Team performed a hunt on a small sample of the associated list and found phishing websites, giveaway scams, coupon scams and even some suspicious chrome extensions.
In the next case, Figure 7, the Chrome extension had over 60,000 installs and dozens of negative reviews complaining about data theft, malware, and one person even saying they were extorted by the developer:
Despite reviews, scams such as the one above continue to trick innocent shoppers in a rush to capitalize on the best Black Friday deals.
Protect yourself this Black Friday
Cybercriminals are opportunistic and capitalize on anything they can in order to improve their odds of profiting off a scam. As Black Friday approaches, ZeroFox has observed a spike in both social media scams as well as malicious domains. To best protect yourself against these kinds of scams, we recommend exercising a level of caution whenever you consider giving away valuable personal information for promotions or giveaways. Legitimate giveaways rarely ask for anything more than an email address. A promotion requesting anything further is likely a scam. Additionally, as you make online purchases this holiday season, be sure to verify that the domain you are making a purchase from is the one you intend to interact with and is from a legitimate brand. Attackers often mimic reputable brands to peddle scams and phishing sites.
Avoid scams and protect yourself by following these Alpha Team recommendations:
- Verify the URL of any site you may purchases from. Phishing and counterfeit goods sites often imitate the websites of legitimate brands in order to appear more credible
- Use caution when interacting with promotional sites, especially when asked to provide sensitive personal information. If a promotion sounds too good to be true, it probably is.
- Consider using a separate email for promotional entries to keep email and personal information secure.
A quick note on where this data came from
The Alpha Team seeded a ZeroFox platform deployment with top retail brands, from a variety of different verticals, in order to uncover chatter and malicious traffic that could be related to Black Friday. Within 1 week, the platform analyzed 600,000 posts, pages, accounts and blogs, and 90,000 of those pieces of content were suspicious and alerted in our platform. The team also reviewed 1 month's worth of Certificate Transparency log data (approximately 22,000,000 logs) in order to study how scam infrastructure is being deployed and abused by fraudsters in order to target victims.