November is the first month of the busiest shopping season of the year. It all begins on 11.11, otherwise known as Singles’ Day in China, which has since morphed into one of the largest online (and offline) shopping days in the world, Immediately followed by Black Friday, which falls on November 23rd this year. After that, Christmas and New Year head into view. It’s a great time for shoppers, with discounts and promotions at every turn. The downside to all the juicy offers? Many people drop their guard and become the easy prey of cybercriminals.
In recent years financial phishing has made up at least a quarter of all annual phishing attacks. In 2017, financial phishing exceeded half of the attacks.
The graph shows a steady rise in the share of financial phishing every year since 2014. Safe to say, we can assume that this upward trend will continue for the rest of 2018.
During the holiday sales period, the number of attacks targeting customers of online shopping and payment systems increases considerably. Our stats indicate that during this period, financial phishing accounts for an additional 10% share of all attacks. Outside the sale season, fraudsters favor banking clients.
On Singles’ Day, we saw a spike in the number of attempts blocked by our security solutions to redirect users from dangerous resources.
An upswing was recorded on November 9th, which is not surprising given that cybercriminals always start preparing in advance. Mass attacks are usually carried out shortly before the actual date of the sell-off.
Looking only at phishing attacks against clients of Alibaba Group, the main player in Singles’ Day, the trend is the same: a sharp hike upwards, about double compared to the average number of attacks in November.
11.11 Singles’ Day phishing
Cyber villains were well prepared for Singles’ Day — unofficially “World Shopping Day” — with numerous phishing sites ready and waiting.
For example, the above screenshot depicts a website using standard social engineering techniques: multiple mentions of “alibaba” in the URL to confuse inattentive or naive users, a copy of the company’s logo to add authenticity, and a flashy picture to divert attention. Below is another example of a similar phishing page.
US online giant, Amazon, matches Alibaba stride for stride in terms of both sales/promotions and cybercriminals looking to create fake versions of company sites.
Cybercriminals tend to use a similar formula on phishing attacks. Lucrative offers are first used as bait. But before the users can access the deal, they are instructed to fill out a form that asks for all their personal details. Address, phone number, etc. Once the form is completed, users are prompted to forward the link to their friends. Needless to say, the user never gets the deal: The victim is simply transferred from site to site, with countless pointless surveys.
Black Friday phishing
November 23rd is the official day for Black Friday, but many stores begin their discounts a few days early. Based on statistics, we expect to see an increase in phishing attacks the period before Black Friday. Additionally, there is a large number of registered (and thus far, dormant) sites like blackfridayscom.tld and black-fridaywalmart.tld. In the run-up to Black Friday, these websites are filled with content by cybercriminals looking to harvest personal and banking details of unsuspecting shoppers.
As a matter of fact, we have started to see phishing activity for Black Friday 2018. Fraudsters have started to send out mass phishing e-mails leading to fake sites, impersonating stores that currently offer Black Friday specials.
The domain name of this fake store posing as Walmart speaks volumes about the event it was created for. The site follows the typical phishing formula. It hooks consumers with an irresistible price on a brand new TV. Once the checkout process begins, consumers obligingly fill out forms with their confidential data and unknowingly send payment to a private online wallet.
In regards to phishing e-mails, we found a fake Black Friday promotion offering a free two-month subscription to Netflix. Users who want to redeem the promotion are directed to a scam Netflix site, which prompts them to enter their credit card information and other personal information. This data goes to the attackers, while the victim of the fraud receives nothing in return. Instead of a free Netflix subscription, the user gets their bank account hacked.
Also ahead of Black Friday, various fake online stores are set up, offering mouth-watering discounts on global brands.
If something online sounds too good to be true, it most likely is. And that turns out to be the case here. Having put the goods in our basket, we proceeded to the checkout page. The website developers certainly did not scrimp on validation icons.
But in fact, these icons are non-clickable pictures. This should immediately alert the attentive user. Less vigilant visitors would fill out a standard delivery form and enter their payment information to complete the purchase. All this information goes to the fraudsters, and the warm winter jacket fails to materialize.
How to understand if a store is real or fake
- Avoid stores registered on free hosting services.
- Carefully study the URLs of pages with forms requesting confidential data. If the address consists of a meaningless set of characters or the URL looks suspicious, do not proceed with payment.
- If the store website arouses any sort of suspicion, look up the site on WHOIS for information about how long the domain has existed and who owns it. If the domain is fresh and registered to some mystery entity, take your business elsewhere.
See the “Why phishing works and how to avoid it” post for more useful tips.
Safe shopping tips
- Get yourself a special card for online purchases and don’t keep large sums of money on it.
- Don’t visit shopping sites from links in e-mails, social media messages, and chat rooms, or by clicking/tapping advertising banners on suspicious sites.
- Try to avoid using public Wi-Fi hotspots for shopping purposes; but if you have no choice, be sure to use a VPN, such as Kaspersky Secure Connection
- Before entering personal information, make sure that you are on the genuine site. The address bar should contain the correct URL (check it very carefully), preceded by the letters “https” and/or a green padlock. If so much as one character in the domain name is wrong, don’t even think about entering any confidential data.
- Use a reliable anti-phishing security solution — for example, Kaspersky Plus.