Shoppers beware of these holiday scams on social media!
During the weeks around Black Friday and Cyber Monday, ZeroFox analyzed social media to identify scams targeting consumers on Pinterest, Twitter, Facebook, Instagram and more. ZeroFox leveraged advanced machine learning analytics to find scammers creating fraudulent retailer impersonations, hijacking brand hashtags and launching consumer targeted attacks. Once accounts were identified, further analysis allowed us to understand the tactics, techniques, & procedures used by the scammer.
ZeroFox found 4 major types of social media holiday scams, detailed below:
- Fake merchandise
- Fake gift card generators
- Fake coupons
- Fake giveaways and contests
The scammers used a couple of different tactics to dupe users and proliferate the attack, mainly impersonation and hashtag hijacking.
- Impersonation accounts are created to look just like a real brand account, using very similarly spelled names and replacing characters with dashes, spaces, and/or homoglyph characters. For example, a scammer might use a zero (0) instead of an O or a number one (1) instead of an L. Additionally they may use one or more of the same logo, a photoshopped version of the logo, photos of products or store locations, and similar or identical bios.
- Hashtag hijacking is the process of hijacking trending hashtags and brand hashtags to ensure the scam is seen by the right population and as broad a population as possible. Hashtags are ideal tools for scammers because they can easily ride the coattails of a trend, such as #cybermonday or #blackfriday to get their malicious post in front of their targets.
The malicious payloads of the attacks varied, but ultimately fell into 4 categories:
- Scams: attempts to dupe users into paying money for fraudulent goods or services
- Phishing: attempts to harvest credentials — passwords, user names, credit card info — by creating malicious landing pages
- Malicious mobile apps: attempts to trick the user into downloading a mobile app that would infect their device and either steal their data or hold the data ransom (ransomware)
- Malware: attempts to download malicious code the user’s device that might lead to a host of different issues — ransomware, key logging, data harvesting, etc
ZeroFox identified a plethora of fake merchandise holiday scams across every major network, including the one below from Pinterest. The post hijacked the hashtag #blackfriday to ensure it was seen by spend-happy holiday shoppers.
The link is advertised as extreme discounts on winter jackets, but takes the user through multiple redirects to a gift giveaway page with no jackets whatsoever. The giveaway is for an iPhone and prompts the user to enter their email and home address, and then redirects the user to a subsequent page requesting payment for the shipping costs. Further investigation revealed that the page is known for not delivering merchandise and scamming users out of payments.
Fake Gift Card Generators
While monitoring common retailer hashtags, ZeroFox identified a variety of holiday gift card generators, including this fake Bass Pro Shops gift card generator on Instagram. The link advertises a download for the tool.
Upon clicking the link, the user is taken to a page to download the Card Generator. The card generator does not appear to be authorized by Bass Pro Shops yet allows the user to generate cards and codes by downloading an app.
The app takes the user to Google Play, but instead downloads it directly from an untrusted source outside of the curated Google Play mobile app store. The app is known to be malicious and dangerous to Android devices for those users who download and install apps from untrusted sources. Furthermore, use of fake gift card generators is commercial fraud.
Numerous holiday coupon scammers were found on Twitter, amongst other networks. One of the most interesting set of scam accounts appeared to be created by a single scammer or scammer group and targeted a variety of retailers. Theses accounts put a link in the bio that the user can visit to obtain coupons for various retailers and each link appears to be custom to the retailer. Scammers target users searching for coupons of a certain retailer.
These URLs have been found impacting numerous retailers for top brands including Kroger, Macy’s, Hertz Rent-a-Car and more. They all use the blogging site blogspot.com and so-called server pages custom to each retailer. Because they all follow the same format and logic, it’s likely that they are all created by the same perpetrators. Since our detection, the links have all gone offline.
The accounts often don’t tweet or follow anyone keeping the account discrete. However, if a user searches for the Kroger or Macy’s name, these accounts show up. The link in the Twitter bio leads to a fake web page that asks the user to enter in their personal information to then obtain a seemingly real coupon, which is actually fake. The blogspot links have been live for weeks or months, but in the last week all went offline.
Below is another example of a Twitter account advertising fake coupons. This link leads to a malicious mobile app download.
Fake Giveaways and Contests
One of the most popular toys over the 2016 holiday season are Hatchimals. ZeroFox witnessed parents anxious to get a Hatchimal for their kid in any way possible, considering they are sold-out in most stores. This was one of many contest giveaways ZeroFox discovered on Instagram.
The bit.ly link in the post takes the user to a fake contest page using a domain extension of *.ml which is suspiciously a top level domain in West Africa.
When the user picks the Hatchimal for the content entry, they’re directed to a “Human Verification” page where the user is asked to download a mobile app and provide contact information. The mobile app is also known for adware pop-ups leading to other malware infestations.
A broad variety of holiday scams were identified during the analysis that spanned every major social network. There is a well documented spike in crime around the holidays, and ZeroFox’s findings have shown that cyber criminals have now aggressively expanded to social networks. Holiday shoppers are ideal targets for scammers and cyber criminals, and users need to take additional precautions when shopping this season.
Here are recommended steps consumers can take to protect themselves from social media holiday scams:
- Beware of coupons and promotions distributed through sites other than the official retailer. While some are legitimate, most are not. In particular, if the site is request personal information or a credit card to enroll, be very suspicious of the link or website.
- Most of the scam websites did not have proper security controls. These websites lack SSL (or TLS) web site certificates, which is standard for almost every website, especially those asking for credentials or credit card info. This has long been a method by which consumers can be assured that the site is legitimate and safe as demonstrated by the “https” designation and many browser not display that in green. If the site doesn’t have an SSL/TLS web site certificate and is not encrypting your information, it’s probably not safe to trust that site. For details, simply click on the green lock to confirm that your information is encrypted and the website is valid. Below is the official Amazon account. User can tell it’s secure by the “https” designation before the base URL.
- With no SSL certificate, your credit card information could be intercepted by someone else and read in clear-text, especially if you’re at your local coffee shop using open WiFi, thus exposing your personal information.
- If you additionally want to validate a site, you can go to sites such as networksolutions.com and perform a whois lookup on the domain. Many of the sites were found to be registered to individuals in West Africa, Panama, and other areas of the world not as well known for selling online merchandise and should be considered suspicious.
- Ensure two-factor authentication is enabled on your social media accounts when available. This provides yet another barrier of protection should a malicious page steal your credentials. Many social networks can now require a code be sent to your phone or via email when they detect a new browser or device attempting to access your account.
- Beware of links on social media. Some social networks will warn you of malicious links when you click on them. For example, the Twitter app for Android will warn you of a malicious site and ask if you’d like to continue. But not all social networks provide this. Anti-virus products for PCs and Macs provide a green checkmark next to validated non-malicious links to assist you with deciphering which pages are good and which are suspicious or yet to be validated.
- If a link prompts you to download and install an app or file, stay clear. Mobile apps should only be downloaded from curated app stores such as the Apple App Store or Google Play, any other apps should be not be trusted.
- Ensure that your anti-virus and anti-malware is kept up-to-date on your device, whether it’s a PC, Mac, or mobile device.
- Consumer protection sites offer great advice and some even highlight some of the latest holiday scams. These sites include: