This article contains an affiliate link for ProtonVPN which we have an independent partnership with.

Welcome to Bsquared Intel’s Ultimate Holiday Shopping Cyber Security Guide!

If you are one of the 158 million people that the National Retailers Federation estimates will go shopping this Black Friday [Source: Yahoo! News] it’s a good time to keep your wits about you. Even if you’ve already started your holiday shopping, the cyber Grinches are out in force. According to reporting from TechRepublic, malicious websites geared toward shopping and sales have skyrocketed since October 2021 to the point where there are on average 5300 of these sites cropping up weekly. You read that right. Weekly! [Source: TechRepublic] What’s a person to do? How do you navigate through this minefield? In this holiday shopping guide for 2021 we’ll be giving you some things to look out for while you’re shopping and if you’re a business owner things you can do to protect yourself and your customers.

Before we start, we’re going to give you a crash course in a few things as they are fundamental to how scams/phishing attacks work and issues related to malware.

Social engineering

At the core of a scam is social engineering.

A very basic definition of social engineering is framing someone’s reality in order to get them to do something you’ve already predetermined. Kids do this to parents. Let’s say their end goal is to stay up past their bed time or to have a snack.  They’ll push all their parents’ buttons to succeed. In the cybercrime sense, there’s two optimal outcomes. 1) To get you to give up sensitive information like usernames/passwords, financial information, or other types of personal/sensitive information. 2) To get you to do something out of character. This includes getting you to click on a link or download an attachment that’s malicious, to install an untrusted app, to get you to enter suspicious commands into a command prompt, or to give them physical access to a building or a sensitive area.

At the core of a social engineering attack are a few elements:

  • They exploit your emotions. The goal is to get you to have a knee-jerk reaction and not think logically about the social engineer’s request.
  • There’s always a time component to their requests. This is to get you to rush, make mistakes, and prevent you from slowing down to see what’s really going on.
  • Use/abuse of authority. The bad actor may pose as a legal authority. You typically see this play out in IRS email scams where the scammer is pretending to be an IRS agent who has the power to levy fines or impose jail time for your non-compliance. There’s also authority of an industry. That might look like someone posing as Amazon, Walmart, Microsoft, Apple, PayPal, your bank, and other businesses you frequent. There’s also what we would like to label as organizational authority. This is someone posing as the CEO, president, director, manager, or someone who has the authority to compel you to do something at work under the threat of being fired if you don’t comply.

With the focus of this article being the holiday shopping season, and by extension helping out charities, the more frequent forms of social engineering you’ll come across are:

  • Phishing emails
  • Phishing texts (AKA SMiShing)
  • Voice phishing (AKA Vishing)
  • Fake websites
  • Fake social media profiles

Later on we’ll be giving you a few examples of things we’ve found in the wild and break things down a little so that you know what to look out for. For now we’ll move on to malware.

Malware

Malware is malicious software. Broadly, malware allows a bad actor to either snoop on you or to destroy things. If we want to get fancy, malware allows for espionage or sabotage to take place.

The kind of malware you might encounter during the holiday season could be:

  • Keyloggers: Keyloggers record your keystrokes which are sent to the bad actor. Typically they’re used to collect usernames and passwords. This allows the bad actor to then log into your account. Keyloggers can be embedded in a malicious website, it can be a standalone program, or it can run on a USB dongle.
  • Web skimmers: A web skimmer is a piece of malicious code that’s embedded on a payment page of a web store that collects your payment information for your credit or debit card.
  • Ransomware: Ransomware is on the destructive side of things. It locks up your files, or your computer, or access to your network. In order to get access to whatever is locked up, you need to pay a ransom. Typically the ransom is paid using cryptocurrency such as Bitcoin.
  • Banking trojans. Trojan horse malware is a program that purports to do something legitimate, and does said function, while also carrying out malicious activities. A banking trojan typically targets mobile devices. They are used to steal bank login information, text messages containing one-time passwords, and credit card information.

How does someone get their device infected with malware?

A common way someone gets infected is through email that contains a malicious link or attachment. They may look like links to invoices, or a PDF, or a spreadsheet, or a document file labeled in a way to entice you to open them. If the email is text only, the chances of getting infected by opening it up are pretty non-existent. There may be some email service providers that allow multimedia attachments like images, audio, or video to run. This increases the chances of being infected. However some email service providers won’t load multimedia attachments without your permission.

Malware is also delivered over text message that typically contain a malicious link. There is a new variant of this where no link is used, but through some clever social engineering gets you to reply to a text message and that’s where the scam begins. You can read about this over at Krebs On Security.

Malware is sometimes found on legitimate websites and the services they use to serve up ads. If these sites and services are compromised there is potential for your device to get infected. There are websites that are set up intentionally to infect visitors too and the bad actors may set them to be an evil twin of their legitimate counterpart.

Your mobile app stores contain malicious applications. Sometimes they look similar to legitimate well known applications in both design and name. Other times they blend in with popular types of apps making the selection process that more important.

How to know if you’re infected

First, depending on the malware, you may not know. If it’s a new virus, for example, it can still infect your computer or phone even if you have anti-virus on it.  This is because the anti-virus vendors don’t know of its existence yet and hasn’t been added to the virus definitions. The bad actors are always looking for new ways to evade detection. With that being said, here are some indicators that your computer or mobile device is infected:

  • Your device seems like it’s running slowly. If it’s due to an infection it’s because stuff is hogging computing resources, but not all malware sucks up all this bandwidth. If your device is old, it’s expected to slow down over time. In other words, a slow device can either be attributed to age or malware, so run a full virus scan to see if anything is discovered.
  • You see a lot of ads or popup windows.
  • You notice icons of applications on your device you’ve never installed.
  • In the case of ransomware, locked files/folders and a ransom note are clear indicators of infection.
  • You devices are constantly crashing.
  • Your anti-virus alerts you.

Some ways to help proactively reduce your chances of getting your devices infected

  • Install antivirus on your devices and make sure the software and virus definitions are up to date. Make sure you schedule full antivirus scans to run nightly. To note, iPhones and iPads do not have antivirus currently available for them because of how they’re designed.  Your Mac on the other hand needs antivirus.
  • Make sure all of your devices and software are up to date. This helps patch up security holes discovered by the vendor.
  • Lock your devices! Whether it’s a password, PIN, fingerprint, or facial recognition, have something in place to prevent someone getting physical access to your device.  With online accounts, make sure you have two factor authentication enabled.
  • With mobile devices, and we’re including laptops for this tip, do not leave them unattended, especially if you do venture out to a store or mall to do shopping. Where you go, so does the device.
  • Don’t click, or tap, on links in emails, text messages, or social media posts(or DMs) that look strange. Don’t open suspicious attachments, even if it’s coming from someone you know(Tip: If you know the person find a different way to contact them to verify what they sent you). If you’re asked to browse to a website, make sure the name is spelled correctly. Also make sure the email address of the sender is also legitimate. If you’re expecting something from Disney, they wouldn’t contact you from a Gmail account.
  • Do your due diligence when installing apps. Make sure it’s from a trusted source. Read the reviews left by users. Read the app permissions to see what the app wants to request access to on your device. If it seems off, like a flashlight app that requests access to your device’s storage, that’s a red flag. Also make sure the name of the app isn’t misspelled or have additional text added to it. For example if you’re installing Snapchat, the real one in your app store is just “Snapchat.” If you see something like “Snapchat Official 2021,” that’s a red flag.

Now that we’ve covered social engineering and malware, lets explore a few examples of different scams/phishing attempts that’s related to the holiday shopping season.

Here’s an example of a fake PayPal invoice with an incorrect item that’s purchased. This is an order confirmation scam. The scammer is looking for you to give them personal and/or financial information if you contact them. Pro-tip: Don’t use the contact information in any suspicious communication you receive. You’ll end up interacting with the bad actor.  Go directly to the source to contact someone. In this instance you would go directly to paypal.com. Whether or not you have a PayPal account use this link to report a scam https://www.paypal.com/us/webapps/mpp/security/report-problem

In the image above, you’ll notice that the email sender is not PayPal, the phone number doesn’t belong to them either, nor is the logo an official one from the company. When it comes to an emotional trigger, this may illicit a sense of panic that you either purchased the wrong thing, someone made an unauthorized purchase, or you put in the wrong shipping address.

The next image is an “undelivered package” scam.

So, what’s wrong with this email?

First the FedEx logo is wrong and a semi-colon (;) is inserted between “Fed” and “Ex.” The real dangerous part of this email is clicking on the link for the shipping label. This is where your device may be infected.

The reason why this scam succeeds is if you’ve bought a lot of gifts from different places and at different times, your inbox will have several package tracking notifications and this one may blend in.

This next image is the SMiShing version of an “undelivered package” scam this time pretending to come from USPS. The redacted phone number is not the USPS, the redacted name isn’t us, and the partially redacted link isn’t tied to the USPS because it ends with .info.  If you would like to track your packages, use the post office’s tracking tool https://tools.usps.com/go/TrackConfirmAction!input.action

 

Now let’s get into some shopping scams.

With these scams, some of the telltale signs are the use of shortened links(e.g. https://bit.ly/3cGSaac. which links to our home page bsquaredintel.com), websites names that look similar to a real company, super low prices, and language to compel you to buy (e.g. “One day sale,” “limited supply). This is Social Engineering 101.

In the hands of a bad actor, link shortening services are used to disguise a real malicious link.  You can use a tool like https://unshorten.me to view where a shortened link will take you before deciding to browse to it.  Try it with the shortened link in the first sentence of the paragraph above.

The similar looking names are meant to deceive you because at a quick glance it may look real, even more so if you’re in a hurry.  If someone wants to make you believe their malicious site is real, they may misspell the name where the “typo” looks close to the real domain name.  They may use a domain name that may have the same top level domain(TLD) like .com but it might look something like blackfriday2021-[name of company].com.  They may even use the wrong TLD, so if the legitimate company uses .com they may use .net.

The super low prices are to trigger the impulse buying. The “One day sale” or “limited supply” language imposes a time crunch to compel you to act now.

This image below was from a Facebook post found in the wild last year. What makes this post suspicious is the unrealistic discount and the fake domain names.

 

This next Facebook post is one of the greatest hits that pops up every now and again.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Indicators that this is a fake ad:

  • The domain name is not the real one for Ray Ban.
  • The discount is unrealistic.
  • one day sale” language to create scarcity and to trigger impulse buying.

This last piece of work is probably our favorites. It is a fake website that has all the trimmings; an online catalog, contact information, and so much more that we’re going to do a separate article on this one. These images that we’re showing are to illustrate that these prices are obscenely low for things like bounce houses and playground sets. This was discovered last year, so the real product names might not be the same, but the pricing for items like these on Walmart, or Amazon, are hundreds of dollars to about two thousand dollars.