Every year around the holidays, when brands offer huge discounts and shoppers are quick to spend their money, scammers and cybercriminals are quick to capitalize with all variety of holiday scams. In the past several years, this activity has transitioned to social media, where brands increasingly advertise their deals. Holiday scams hijack this excitement and abuse the trust between consumers and brands on social media by creating fraudulent accounts, crafting fake, eye-catching promotions, and driving unsuspecting consumers to a variety of malicious ends, including phishing pages, malware exploits and other nefarious schemes.
This holiday season, ZeroFox Alpha Team has uncovered 2,868 fraudulent accounts (and counting) peddling holiday scams across social media. The accounts were part of several distinctive attack campaigns that each exhibited different tactics and end goals. Yet all the campaigns shared in common their desire to exploit users’ penchants for shopping online during Thanksgiving, Black Friday, Cyber Monday and Christmas.
The vast majority of these scam accounts leverage a similar core tactic: brand impersonations. The holiday scams use official branding and imagery, often taken directly from the brand’s verified account, to make a profile that looks identical to the real one. Targeted retail brand categories included fashion, technology, sports, ecommerce, jewelry, and food (Figure 1).
Figure 1: Pie chart of targeted brand segments.
For brands attempting to market their authentic deals and promotions, this is a huge problem. Scammers quickly make copies of the brand’s owned account, steal clicks and revenue, attack customers and drive away huge volumes of would-be business. Savvy users on social media are forced to be wary of what accounts they engage with and what promotions to explore. Most users, however, are often unaware that there is any difference between the malicious copy and the real online retailer.
The holiday scams were advertising either phishing links, malware exploits or fame farming schemes:
The first campaign imitated popular brands in order to phish credit card and other personal information from victims. 84 unique phishing URLs were distributed by 569 fake social accounts, which displayed the official logos of well-known companies. They exploited users’ recognition of these brands and leveraged Black Friday and Cyber Monday deals in order to coerce them into clicking on posted URLs (Figure 2). The URLs themselves also displayed the company’s official logo, and purported to sell their popular products at heavily discounted prices of over 70% off. However, these websites contain credit card input forms that steal credit card credentials and personally identifiable information.
Figure 2: An impersonating Facebook Page used Cyber Monday as a ploy to manipulate users into clicking a link and entering credit card details.
Malicious link distribution campaigns rely on persuading users to click through to external websites that download harmful programs onto their computers. The below example used the promise of discounted items from a popular e-commerce website in order to lure the user to click a malicious URL (Figure 3). The URL led to websites that executed malware on victim devices.
Malware can be one of the most damaging payloads, as it can result in identity theft, costly ransomware and, for businesses or organizations associated with the victim, large scale data breaches and a persistent hold on the machine that is compromised.
Figure 3: An apparent Black Friday YouTube video description contains a malicious link.
The last campaign involved 2,299 social accounts that imitated major consumer brands in order to conduct “fame farming,” in which a profile advertises fake coupons or giveaways to rapidly gather large numbers of followers, likes and shares. As in the example below, accounts can impersonate popular brands by displaying their official logos and legitimate websites in order to piggyback off their perceived trustworthiness (Figure 4). They typically promise fake holiday gift cards and offers in order to fraudulently amass followers, extract personal information and redirect users to malicious external websites. After the fake account amasses enough digital popularity, it can be repurposed to launch larger attacks or commit other fraudulent activity, like:
- Account flipping – these accounts are often sold on the darkweb, in what is called “account flipping.” The more followers, the more valuable the account. These account are sold to other cybercriminals who may use them for phishing campaigns, spam, or malware delivery. As such, the account owners may not be actively attacking their followers yet, but they are merely one stage in a broader cybercriminal economy that will lead to attacks against the account followers downstream.
- Direct message (DM) phishing – Attackers often build up followers in order to send direct messages laced with phishing links, ransomware, or malware downloads. Some networks only allow DMs between users who mutually follow each other, and using DMs ensures the attack is launched out-of-band. This ensures the longevity of the attacking account as it cannot be readily flagged for removal or banned by the social networks.
- Delayed attack campaigns – Attacks on social media are often done in stages with long periods of dormancy in between. This is done to avoid detections. These accounts may be building up followers in order to lay low until the next attack campaign. The account can change radically overnight and begin posting, sending direct messages and otherwise trying to convince followers to engage with a payload. As such, these accounts may simply be a single phase in a longer, more well-structured attack campaign.
- Spam and click harvesting – Many of the links promoted by these accounts drive to spam sites, fake surveys, and other duplicitous “click harvesting” marketing schemes. Driving traffic in large volumes by exploiting social media earns the attackers the highest possible payout.
ZeroFox believes many of these accounts fall under several highly structured attacker campaigns, as they drive to a small number of similar links and use redundant language across profiles. This shows the power of social media for attackers, who can quickly create many accounts and thus can reach victims at scale. With the buzz around the holidays, Black Friday and Cyber Monday, a few quick hashtags can ensure their posts are seen in popular search queries and pop-up in topical conversations.
Figure 4: A fame farming Instagram account fraudulently promises gift cards in return for user actions that artificially inflate its social reach and reputation.
Recommendation for avoiding holiday scams
ZeroFox Alpha Team recommends the following:
- Beware of coupons and promotions distributed through sites other than the official retailer.
- Ensure two-factor authentication is enabled on your social media accounts when available.
- Be wary of links on social media. Hover over them to get a preview and look closely for impersonator URLs and characters meant to look like others. When in doubt, copy the link into a free analysis tool like VirusTotal.
- Ensure that your anti-virus and anti-malware is kept up-to-date on your device, whether it’s a PC, Mac, or mobile device, and that your device remains patched at all times
- Curate who you follow. Following suspicious accounts increases your chances of being exposed to social media holiday scams, and even benign accounts can be hijacked by or sold to scammers.
- Beware of brand impersonations. Unless it has the blue verified checkmark, do not click anything that accounts posts as it is likely an impersonations of the real profile.
- Above all, be careful what you click on social media! If it looks suspicious, it may very well be.