Black Friday Scam 2021: Watch Out for This New Phishing Kit Method Tied to Physical Theft

6 minute read

With the holiday season upon us once more, threat actors are planning new ways to target consumers and brands alike. As the COVID-19 pandemic continues to have a major impact on our everyday lives, the way we shop and celebrate the holidays will be affected as well. Threat actors know this to be true and have adapted methods to capitalize on the rise in ecommerce with scams, fake websites and sophisticated phishing campaigns. In years past, we’ve seen fake giveaways and fraudulent domains on the rise as a direct correlation with Black Friday – those trends continue in 2021. One particular type of attack we’ve witnessed more of, however, involves a phishing kit designed to facilitate physical theft. Read on to learn more about this new threat and how you can protect your devices from becoming the next victim to this Black Friday scam.

Background: New Phishing Kit Could Be Leveraged for Black Friday Scam

Phishing is a well-known type of attack, which consistently proves to be a threat to enterprises and consumers alike. However, there is a niche form of phishing that directly overlaps with criminals and criminal groups involved in physical theft. These phishing attacks assist criminals in profiting from the theft of mobile and technology devices. As you prepare for Black Friday and Cyber Monday, ensure you are informed of the potential risks.

During public holidays, it is common to see an increase in phishing attacks using specialized types of phishing kits and services, targeting retail technology brands in particular. Many thieves who target households and individuals tend to focus on obtaining technology goods with high resale value, and after holidays such as Black Friday or Christmas, many homes have an abundance of new portable devices.

Over the years, several technology hardware companies have developed and provided tools for customers in order to track and lock their portable devices. These controls are designed to be used in case of loss or theft, blocking unauthorized access to the device and providing contact details for the original owner. The locking of a device will also prevent third-parties from performing a factory reset, or wiping the device, in order to resell it.

A New Type of Phishing Kit Targeting Device Security Controls

Once the device is locked, the only way to restore functionality is for the original owner to log in to their account and disable the lock or lost device mode. The purpose of this feature is to ensure that a lost or stolen device is virtually useless to any unauthorized users. 

However, since the introduction of these controls, a specialized type of phishing kit –  sometimes referred to as an “unlocker” – has appeared for sale on criminal marketplaces. These unlocker kits are directly sold or used  by criminal groups to unlock stolen goods.

Admin dashboard of an active unlocker kit
Figure 1. The administrative dashboard of an active unlocker kit, designed to phish victims of theft. This page details recent attacks and their successes.
Source: ZeroFox Threat Research

These types of phishing kits are designed specifically for conducting phishing against theft victims to obtain their account details so the holder of the stolen device can log in and remove the device lock and tracking before resetting the device to its original state for use or resale. The “holder” in this context refers to the individual physically holding the device, such as the kit operator, the actor that stole the device, or the actor that bought the stolen device.

How the Unlocker Phishing Kit Works

The kits are often sold with licenses, allowing specific individuals to log in to the interface and orchestrate a phishing attack. Created attacks are often referred to as “orders,” reflecting the business mindset associated with this activity. Criminal groups can either use the kit themselves to unlock devices or pay another individual to orchestrate the attack for them.

active phishing kit listing linked to black friday scam targeting physical theft
Figure 2. An active phishing kit listing all active “orders.” Some deployments contain details on hundreds of stolen devices.
Source: ZeroFox Threat Research

The proliferation of encrypted messaging platforms in recent years has facilitated rapid adoption by criminals looking for services to unlock stolen devices. Many channels exist purely to advertise such services, with users vouching for each other and reporting successfully unlocked devices.

These services are not limited to mobile phones, with specialist kits also existing for unlocking laptops, tablets, smart watches and desktop computers.

stolen device listing tied to black friday scam associated with physical phone theft
Figure 3. A stolen device listing the medical ID (Left) and contact information of the owner (Right) accessible via the device’s lock screen. This information is used to aid in the phishing attack.
Source: ZeroFox Threat Research
Follow up messages sent to the channel
Figure 4. Follow-up messages sent to the channel, confirming the successful unlock of the device.
Source: ZeroFox Threat Research

The phishing attack itself is a fairly standard operation designed to obtain credentials from the victim. The sophistication and preparation of the attack is created by the targeted lure and the design of the victim workflow. Lures are often sent via SMS, as contact numbers are typically provided on either the locked device’s screen or within the emergency contact details. The lures inform the recipient that their device (including the device’s name/model) has been located, and they can log in to their account to see its current location. If an email address is listed as contact information, a lure in the form of an email or iMessage is sent to the victim.

Once the victim has clicked the specially crafted link within the lure and landed on the phishing page, the victim workflow begins. These are highly configurable and replicate the genuine interaction steps completely.

configurable options for the black friday scam phishing attack
Figure 5. Configurable options for the phishing attack (Top). One of the many possible phishing pages victims can be presented with (Bottom).
Source: ZeroFox Research

Once the attacker has gained access to the account, they quickly disable any “find my device” services, and unlock the device or mark it as “found.” Within minutes, the holder of the stolen device can perform a factory reset and remove any association with the previous owner. Such devices are then set up as “new” and either used by the holder of the stolen device or sold via online marketplaces.

Protect Yourself Against This Black Friday Scam and Beyond

As attackers become more sophisticated, it’s imperative that device-holders stay vigilant. As always, be careful when receiving an SMS from an unknown number or a request to click a link of any kind, as these could be early warning signs that you are the target of a phishing campaign like the one described in this post. Learn more about a previous Black Friday scam as well as an in-depth guide to the threat of phishing kits in our Anti-Phishing Resource Hub.

Tags: Phishing

See ZeroFox in action