Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

‘Tis the Season for Online Shopping and Phishing Scams

The 2022 holiday shopping season is here. Retailers’ discounts are kicking off early, and shoppers are eager to spend, especially with big price markdowns to come as the season progresses. And with the COVID-19 pandemic still a concern to shoppers, more people are expected to shop online this season.

What this also means is that as consumers whip themselves into a shopping frenzy, cybercriminals have activated their seasonal scams to try and steal money or personal information. These scams are well thought out and include realistic email messaging that uses well-known name brands like UPS, FedEx, and Ray-Ban to help convince unwary shoppers to click on links that lead to fake websites or open malicious attachments.

Already this year, consumers spent a record $9.12 billion shopping online during Black Friday, according to Adobe. Overall, online sales for Black Friday were up 2.3% year-over-year.

Across the entire holiday season last year, U.S. consumers spent a record $204 billion online, up 8.6% from 2020, as reported by Adobe Analytics.

19322_picture1

Figure 1. US Holiday Spend Growth by year | Source: Adobe Analytics
https://blog.adobe.com/en/publish/2022/01/12/adobe-us-consumers-spent-a-record-204-billion-online-this-holiday-season 

Holiday Shopping Season and Fraud

As online spending for the holidays is on the rise, it makes sense that this time of year is also when cybercriminals ramp up their attacks. As a result, fraudsters have already started to shift to their holiday-and-shopping-themed schemes to best target consumers’ financial assets and personal information.

During this shopping season, consumers make themselves vulnerable to attack as they browse the web for the best deals, purchase goods, and receive emails that include expected discount promotions, as well as order and shipping notifications. This digital presence makes scam campaigns more effective because cybercriminals’ fraudulent activity blends in with holiday and shopping activities. 

Phishing and Scams to Be Aware of this Season

This holiday shopping season, be on the lookout for phishing and scams specifically designed to blend in with holiday online shopping activities. Trustwave SpiderLabs has compiled a list of the most prevalent shopping-related scams expected this year. These samples were recently observed from Trustwave’s spam traps and other Trustwave monitoring systems. 

Package Delivery Scams 

These are phishing messages threat actors craft as package delivery notifications claiming to be from a legitimate package courier or shipping company like DHL, USPS, UPS, or FedEx. The message content usually contains a fake tracking link or an attachment that directs to a fake website asking users to input their password or other sensitive information. There is also a chance it may also download a piece of malware. 

These messages often come as fake notifications related to shipment issues, missing packages, or just a generic incoming package delivery notification. 

19323_picture2

DHL Express - Address Confirmation Phishing Email

The below message impersonates the “DHL Express” brand, asking to verify address information contained in the attachment that leads to phishing.

19324_picture3 

The attachment is an HTML file named “AWB_87990589.html.” When clicked, it does not show any shipping information as mentioned in the email body. Instead, it shows a fake DHL Express login page that asks for the user’s account password. Phishers use HTML attachments to host the spoofed login site in the user’s device instead of the public internet as a way to bypass URL reputation checks.

19325_picture4

Once the user has inputted the credentials and hit the ‘Sign in’ button, the form data will be sent to the endpoint hosting this action PHP link “hxxps[://]ww[.]barbacoasevilla[.]com/mail/DHL[.]php” This PHP call is the part where the phishers get to steal the credentials.

19326_picture5 

Fake U.S. Postal Service “Delivery Problem” Email Notification

This message below claims to be sent by USPS (United States Postal Service), mentioning a delivery problem. It contains a fake tracking link that leads users to a suspicious website where scammers can collect a user’s sensitive data.

 19327_picture6

Email URL: hxxp[://]gai-building[.]azurewebsites[.]net/bolderi[.]php?i=chanted&e=minimum

DHL “Failed Delivery” Notification Comes with Malware

Here is another phishing sample pretending to come from DHL. The attacker sends a fake shipment notification saying that the “delivery failed due to recipient refused package.”

Within the body of the email, it asks the target to open the attachment file (Delivery Report.img) to manage the failed delivery. It can be observed that the shipment information provided was too generic and others were mentioned as in the “attached file.”

19328_picture7

19329_picture8

The attachment is an IMG file that masks as a delivery report. This file contains an executable named “Delivery Report.exe” that pretends to be a Microsoft Word document, as observed in the figure below.

19330_picture9

When executed, it will drop the Warzone Remote Access Trojan (RAT) as its payload, which is capable of credential theft and User Access Control (UAC) bypass. A RAT is a type of malware that gives an attacker unauthorized access to control an infected machine remotely. 

Fake Order Scams

Another popular tactic used by fraudsters is the Fake Order scam. These are messages that notify recipients regarding a product, service purchase status, or confirmation that originally was not placed by the recipient. This trick works exceptionally well against unsuspecting users since it is designed to make the user cancel the purchase, luring them to the phishing schemes.

The attacker also includes Instructions for cancellation or dispute in the message. The message could contain a link to a malicious/phishing page, a malware attachment, or a telephone number to call.

Fake Geek Squad Order scam

Geek Squad, Best Buy’s Tech Support service, is being impersonated in this phishing scam about a false subscription order. The message mentions that the membership has been auto-renewed and it also provides a telephone number to be called if the recipient wants to cancel or dispute. 

Once the victim calls the scammer, the scammer may ask for remote access to your machine or trick the person into divulging personal and payment information. These scammers may also use schemes to deceive users into paying with gift cards.

19331_picture10 

Bogus Card Payment Invoice Notification “Order Receipt”

This example is a bogus credit card billing notification informing the recipient of a transaction for a cryptocurrency-related purchase. We can observe that it contains no brand information, only generic credit card invoice details, and a fake customer support number to call to dispute the purchase.

19332_picture11 

Fake Product Scams 

This scam offers products or services at a high discount rate to lure consumers. Fraudsters send out promotional messages containing links leading users to a fake website impersonating the official brand. This bogus site may ask them to fill in the victim’s shipping details including the victim’s personal information and may require them to pay either by PayPal or via payment cards. Here, the fraudster’s main goal is to scam victims of their money by selling counterfeit goods or stealing sensitive information which can be used for additional frauds. 

Fake Ray-Ban Black Friday Sale – 90% Off 

This Black Friday-themed email claims to come from Ray-Ban, a well-known American-Italian luxury sunglasses and eyeglasses company, offering heavily discounted items (a too good to be true offer) with links leading to fake Ray-Ban website.

19333_picture12

URL/Redirect Chain:

  • Email URL: hxxps[://]security-subscriber-center[.]grau-r[.]com/SubscribeClick?ox=rbm&6yvx6g=xxx@xxx[.]xxxx
  • Landing URL: hxxps[://]www[.]rbmhouse[.]com/m

The Legitimate Ray-Ban website vs Fake Site:

The fake Ray-Ban website domain in this campaign is rbmhouse[.]com was registered just 10 months ago while the legitimate Ray-Ban site is Ray-Ban[.]com which was registered 17 years ago.

19334_picture13

 

19335_picture23

 

The similarities and resemblance between the fake website vs. the original can effectively make unsuspecting users believe that the fake site is a legitimate Ray-Ban site. 

19336_picture14

19337_picture15

Fake Louis Vuitton Promotional Email – 88% Off

The email below is another irresistible discount offer that will catch a shopper’s eye. It claims to be from Louis Vuitton – a French luxury fashion house and company commonly known for its high-end leather goods. The email URL leads to a fake Louis Vuitton website.

19338_picture16

URL/Redirect Chain:

  • Email URL: hxxp[://]www[.]88off-bags[.]com/
  • Landing URL: hxxps[://]www[.]lzvlv[.]com/

The landing page (hxxps[://]www[.]lzvlv[.]com/) is impersonating Louis Vuitton website that offers big product discounts. Other similar fake websites we found are:

  • www[.]lczlv[.]com
  • www[.]lwzlv[.]com 

19339_picture17

Fraudulent Gift Card/Rewards and Survey Scams

Fraudsters also send messages impersonating banks or well-known brands offering bogus rewards such as gift cards. This scam may appear as a “Free Rewards/Gift Card Expiration” notification, with a call to action that states to avoid the reward’s expiration, users must provide their login credentials to what is a fake website. The email may also come as “you have been qualified for a reward” notification or a message promising rewards if the customer fills out a survey.

For survey-related campaigns, after completing the feedback on a bogus website, the threat actor may inform individuals that the gift card is no longer available, and users may be prompted to choose from various products for free or receive what will be a fake gift voucher. In addition, consumers will be asked to supply their credit card and personal information, which can be used to steal victim’s money or used for identity theft.

19340_picture18 

Fake 7-Eleven Survey Offers $100 Gift Card 

“Shopper, You can qualify to get a $100 7Eleven gift card!”

In this scam, an attacker entices a consumer with a specially crafted message offering a $100 gift card for completing a survey. This attempt will lead to users inputting their personal information to suspicious websites.

19341_picture19

URL/Redirect Chain: 

  • Email URL: hxxp[://]papajohnsx[.]shop/fYGKFAhhMQT20m_SZRMWKap2Z9_8Pbn50tqN4O0vOLzuOTLe
  • Landing URL: hxxps[://]dailypublicmarket[.]com/v1/7el
    • Outgoing URL: hxxps[://]stadisticsdata[.]com/joragiwi/nu/cukabo/index.php
    • Outgoing URL: hxxps[://]bestgadgetsdailynow[.]com/afoffv2/checkout.php

19342_picture20 

19343_picture21

After completing the short survey, the attacker directs the user to a new domain site containing  deals that can be unlocked with a purchase time limit. It offers one product for free, and the recipient will have to shoulder the shipping fee.

19344_picture22

Once a user has chosen a product, the page will direct that person to another suspicious website followed by pushing them to a checkout page where the victim will be asked to input their shipping and payment information.

How to Protect Yourself this Holiday Season:

General security best practices: 

  • Beware of unsolicited emails, messages, and calls. For emails and other forms of messages, do not click links or open attachments from suspicious sources
  • Do not respond to spams and other unsolicited messages and calls
  • Follow best practices for password protection
  • Enforce multi-factor authentication (MFA)
  • Ensure that applications and systems – such as browsers, Anti-Virus, and OS systems are up to date

Tips for shopping and other holiday activities: 

  • Watch out for offers that look too good to be true
  • Research the product/retailer before buying. Check the official website and customer reviews
  • Use safer and traceable payment methods. Use a credit card over a debit card as it provides additional layers of protection
  • Regularly check accounts and credit card statements. Look for any suspicious or unauthorized charges
  • Monitor shipping process for shipment deliveries. Always obtain tracking information for any online purchases. Track using the legitimate website or application
  • When donating, always research the organization or website first
  • If you think you have been a victim of fraud, report it

Latest SpiderLabs Blogs

Zero Trust Essentials

This is Part 5 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Why We Should Probably Stop Visually Verifying Checksums

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]:

Read More

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced...

Read More