Welcome to Bsquared Intel’s Ultimate Holiday Shopping Cybersecurity Guide 2! This is the updated guide for 2023 to what we originally put out a couple of years ago.

If you are one of the millions that will go shopping this Black Friday/Cyber Monday it’s a good time to keep your wits about you. Even if you’ve already started your holiday shopping, the cyber Grinches will be out. How do you navigate through this minefield of malicious shopping sites, phishing emails and texts, and too good to be true deals? In this holiday shopping guide we’ll be giving you some things to look out for while you’re shopping and if you’re a business owner things you can do to protect yourself and your customers.

Before we start, we’re going to give you a crash course in a few things as they are fundamental to how scams/phishing attacks work and issues related to malware.

Social engineering

At the core of a scam is social engineering.

A very basic definition of social engineering is framing someone’s reality in order to get them to do something you’ve already predetermined. Kids do this to parents. Let’s say their end goal is to stay up past their bed time or to have a snack. They’ll push all their parents’ buttons to succeed. In the cybercrime sense, there’s two optimal outcomes. 1) To get you to give up sensitive information like usernames/passwords, financial information, or other types of personal/sensitive information. 2) To get you to do something out of character. This includes getting you to, scan a QR code. or click on a link, or download an attachment that’s malicious, to install an untrusted app, to get you to enter suspicious commands into a command prompt, or to give them physical access to a building or a sensitive area.

At the center of a social engineering attack are a few elements:

  • They exploit your emotions. The goal is to get you to have a knee-jerk reaction and not think logically about the social engineer’s request.
  • There’s always a time component to their requests. This is to get you to rush, make mistakes, and prevent you from slowing down to see what’s really going on.
  • Use/abuse of authority. The bad actor may pose as a legal authority. You typically see this play out in IRS email scams where the scammer is pretending to be an IRS agent who has the power to levy fines or impose jail time for your non-compliance. There’s also authority of an industry. That might look like someone posing as Amazon, Walmart, Microsoft, Apple, PayPal, your bank, and other businesses you frequent. There’s also what we would like to label as organizational authority. This is someone posing as the CEO, president, director, manager, or someone who has the authority to compel you to do something at work under the threat of being fired if you don’t comply.

With the focus of this article being the holiday shopping season, and by extension helping out charities, the more frequent forms of social engineering you’ll come across are:

  • Phishing emails
  • Phishing texts (AKA SMiShing)
  • Voice phishing (AKA Vishing)
  • QR Code phishing (AKA Quishing) (This is an emerging threat that you may start encountering more frequently.)
  • Fake websites
  • Fake social media profiles

Later on we’ll be giving you a few examples of things we’ve found in the wild and break things down a little so that you know what to look out for. For now we’ll move on to malware.

Malware

Malware is malicious software. Broadly, malware allows a bad actor to either snoop on you or to destroy things. If we want to get fancy, malware allows for espionage or sabotage to take place.

The kind of malware you might encounter during the holiday season could be:

  • Keyloggers: Keyloggers record your keystrokes which are sent to the bad actor. Typically they’re used to collect usernames and passwords. This allows the bad actor to then log into your account. Keyloggers can be embedded in a malicious website, it can be a standalone program, or it can run on a USB dongle.
  • Web skimmers: A web skimmer is a piece of malicious code that’s embedded on a payment page of a web store that collects your payment information for your credit or debit card.
  • Ransomware: Ransomware is on the destructive side of things. It locks up your files, or your computer, or access to your network. In order to get access to whatever is locked up, you need to pay a ransom. Typically the ransom is paid using cryptocurrency such as Bitcoin.
  • Banking trojans: Trojan horse malware is a program that purports to do something legitimate, and does said function, while also carrying out malicious activities. A banking trojan typically targets mobile devices. They are used to steal bank login information, text messages containing one-time passwords, and credit card information.

How does someone get their device infected with malware?

A common way someone gets infected is through email that contains a malicious link or attachment. They may look like links to invoices, or a PDF, or a spreadsheet, or a document file labeled in a way to entice you to open them. If the email is text only, the chances of getting infected by opening it up are pretty non-existent. There may be some email service providers that allow multimedia attachments like images, audio, or video to run. This increases the chances of being infected. However some email service providers won’t load multimedia attachments without your permission.

Malware is also delivered over text message that typically contain a malicious link. There is a variant of this where no link is used, but through some clever social engineering, gets you to reply to a text message and that’s where the scam begins. You can read about this over at Krebs On Security.

There’s also been an increase in QR code phishing (AKA Quishing).

QR codes are everywhere.

They’re on fliers, business cards, mobile tickets, and restaurant menus. This is just a drop in the bucket for where they’re found. Over the last several months there’s been an uptick in QR code phishing and it’s been primarily observed over email. The bad actors are either embedding QR codes directly in the email, or they’re attaching PDFs with QR codes as a way to bypass email spam filters. To get you to scan the QR code, they may tell you that you have to scan the QR code for verification purposes. Once you scan it, one of a couple of things could happen. You’ll be greeted with a form to fill out asking for sensitive information, or the link you’re directed to could infect your device with malware. Since this particular article is themed around holiday shopping, our educated guess is you’ll probably see this applied to the “undelivered package” scam, which we have an example later on, or an invoice, or an unrealistic discount for an item you’d love to purchase as a gift. Since QR codes are out in the wild, someone may get creative and design a Holiday themed flier, so keep your wits about you if you’re out and about in the real world.

Malware is sometimes found on legitimate websites and the services they use to serve up ads. If these sites and services are compromised there is potential for your device to get infected. There are websites that are set up intentionally to infect visitors too and the bad actors may set them to be an evil twin of their legitimate counterpart.

Your mobile app stores contain malicious applications. Sometimes they look similar to legitimate well known applications in both design and name. Other times they blend in with popular types of apps making the selection process that more important.

How to know if you’re infected

First, depending on the malware, you may not know. If it’s a new virus, for example, it can still infect your computer or phone even if you have anti-virus on it. This is because the anti-virus vendors don’t know of its existence yet and hasn’t been added to the virus definitions. The bad actors are always looking for new ways to evade detection. With that being said, here are some indicators that your computer or mobile device is infected:

  • Your device seems like it’s running slowly. If it’s due to an infection it’s because stuff is hogging computing resources, but not all malware sucks up all this bandwidth. If your device is old, it’s expected to slow down over time. In other words, a slow device can either be attributed to age or malware, so run a full virus scan to see if anything is discovered.
  • You see a lot of ads or popup windows.
  • You notice icons of applications on your device you’ve never installed.
  • In the case of ransomware, locked files/folders and a ransom note are clear indicators of infection.
  • Your devices are constantly crashing.
  • Your anti-virus alerts you.

Some ways to help proactively reduce your chances of getting your devices infected

  • Install antivirus on your devices and make sure the software and virus definitions are up to date. Make sure you schedule full antivirus scans to run nightly. To note, iPhones and iPads do not have antivirus currently available for them because of how they’re designed. Your Mac on the other hand needs antivirus.
  • Make sure all of your devices and software are up to date. This helps patch up security holes discovered by the vendor.
  • Lock your devices! Whether it’s a password, PIN, fingerprint, or facial recognition, have something in place to prevent someone getting physical access to your device. With online accounts, make sure you have two factor authentication enabled.
  • With mobile devices, and we’re including laptops for this tip, do not leave them unattended, especially if you do venture out to a store or mall to do shopping. Where you go, so does the device.
  • Don’t click, or tap, on links in emails, text messages, QR codes, or social media posts(or DMs) that look strange. Don’t open suspicious attachments, even if it’s coming from someone you know(Tip: If you know the person find a different way to contact them to verify what they sent you). If you’re asked to browse to a website, make sure the name is spelled correctly. Also make sure the email address of the sender is also legitimate. If you’re expecting something from Disney, they wouldn’t contact you from a Gmail account.
  • Do your due diligence when installing apps. Make sure it’s from a trusted source. Read the reviews left by users. Read the app permissions to see what the app wants to request access to on your device. If it seems off, like a flashlight app that requests access to your device’s storage, that’s a red flag. Also make sure the name of the app isn’t misspelled or have additional text added to it. For example if you’re installing TikTok, the real one in your app store is just “TikTok.” If you see something like “TikTok Official App” that’s a red flag.
  • Install trusted web browser plugins like adblockers or third party tracker blockers. These will help reduce the chances of malware laced ads from infecting your devices.  The same due diligence is needed with installing web browser extensions as some are malicious, so the same warnings in the point above apply.

Now that we’ve covered social engineering and malware, lets explore a few examples of different scams/phishing attempts that’s related to the holiday shopping season.

Here’s an example of a fake PayPal invoice with an incorrect item that’s purchased. This is an order confirmation scam. The scammer is looking for you to give them personal and/or financial information if you contact them. Pro-tip: Don’t use the contact information in any suspicious communication you receive. You’ll end up interacting with the bad actor. Go directly to the source to contact someone. In this instance you would go directly to paypal.com. Whether or not you have a PayPal account use this link to report a scam https://www.paypal.com/us/webapps/mpp/security/report-problem

A phishing email posing as paypal. Text in red are notations from us pointing out wrong email address, logo, and phone number. We also note that the physical address for shipping is also fabricated.

In the image above, you’ll notice that the email sender is not PayPal, the phone number doesn’t belong to them either, nor is the logo an official one from the company. When it comes to an emotional trigger, this may illicit a sense of panic that you either purchased the wrong thing, someone made an unauthorized purchase, or you put in the wrong shipping address.

The next image is an “undelivered package” scam.

This image is a phishing email posing as FedEx that states that the recipient had a package that was unable to be delivered. The red arrow pointing to "Print Shipment Label" is to indicate that it's a link that when clicked on is malicious.

So, what’s wrong with this email?

First the FedEx logo is wrong and a semi-colon (;) is inserted between “Fed” and “Ex.” The real dangerous part of this email is clicking on the link for the shipping label. This is where your device may be infected or be asked to fill out a form that wants you to provide sensitive information.

The reason why this scam succeeds is if you’ve bought a lot of gifts from different places at different times, your inbox will have several package tracking notifications and this one may blend in.

This next image is the SMiShing version of an “undelivered package” scam this time pretending to come from USPS. The redacted phone number is not the USPS, the redacted name isn’t us, and the partially redacted link isn’t tied to the USPS because it ends with .info. If you would like to track your packages, use the post office’s tracking tool https://tools.usps.com/go/TrackConfirmAction!input.action

This image is of a text message that's a phishing attempt of someone posing as the United States Postal Service. The text in red is our notes showing what is wrong. This includes the phone number not being a USPS one, the text being addressed to the wrong person, and a suspicious link that's not associated with the US Postal Service.

Now let’s get into some shopping scams.

With these scams, some of the telltale signs are the use of shortened links(e.g. https://bit.ly/3cGSaac. which links to our home page bsquaredintel.com), websites names that look similar to a real company, super low prices, and language to compel you to buy (e.g. “One day sale,” “limited supply). This is Social Engineering 101.

In the hands of a bad actor, link shortening services are used to disguise a real malicious link. You can use a tool like https://unshorten.me to view where a shortened link will take you before deciding to browse to it. Try it with the shortened link in the first sentence of the paragraph above.

Similar looking names are meant to deceive you because at a quick glance it may look real, even more so if you’re in a hurry. If someone wants to make you believe their malicious site is real, they may misspell the name where the “typo” looks close to the real domain name. They may use a domain name that may have the same top level domain(TLD) like .com but it might look something like blackfriday[YEAR]-[name of company].com (This is known a combosquatting where someone adds a word in front of the real domain name.). They may even use the wrong TLD, so if the legitimate company uses .com they may use .net.

The super low prices are to trigger the impulse buying. The “One day sale” or “limited supply” language imposes a time crunch to compel you to act now.

This image below was from a Facebook post found in the wild last year. What makes this post suspicious is the unrealistic discount and the fake domain names.

This is an image of a scam found on Facebook. These are alleged "Christmas Gifts." The red flags indicating this is a scam include unrealistic discounts that are too good to be true and fake domain names.

This next Facebook post is one of the greatest hits that pops up every now and again.