Black Friday Highs and Woes: how cybercriminals exploit this season’s best deals
With over 165 million people shopping over Black Friday weekend last year [1], retailers are gearing up to advertise this year’s newest promotions. Unfortunately, so are cybercriminals. In this blog piece we look ahead to some of the types of activity we anticipate.
We anticipate this: an uptick in legitimate promotional content allows cybercriminals to target unsuspecting shoppers with spam emails masquerading as discounts and sales from brand-name retailers, with the potential to harvest payment card information or infect victims’ computers with malware. Once stolen, cybercriminal forums offer their own Black Friday deals on ‘fresh card dumps,’ turning the most wonderful time of the year into a sour affair.
What to expect in 2019:
Seasonal phishing campaigns
Cybercriminals
are no strangers to phishing; a technique that typically uses social
engineering via email to deliver malicious links or attachments. Phishing
remains the most popular and successful infection vector, largely due to its
simplicity. Lures vary in sophistication, with basic attempts simply including
a malicious link in the body of the email. More advanced lures appear to come
from trusted sources within the victim’s network and often include
victim-specific details to increase the likelihood of the user inadvertently
downloading malware onto their device.
As it is becoming
increasingly common for consumers to shop online, cybercriminals need not
resort to extensive social engineering methods to cash in high rewards and
steal consumer card and payment data. Rather, cybercriminals are likely to
engage in high volume and low profit spamming efforts that target consumers
already accustomed to receiving weekly retailer marketing emails.
A victim
might not think twice about opening a Black Friday related email that contains
the name of a well-known brand, promises a substantial discount, and uses
similar language to that of legitimate retailers.
Figure 1: An example spam email masquerading as a legitimate promotion.
This time last year we observed a spike in suspected credential phishing pages that contained ‘Black-Friday’ and the name of a retailer in the URL, with 72% of URLs appearing between November 10th and the 27th. We anticipate a similar pattern this year.
Figure 2: URLs containing either ‘black-friday’ or ‘blackfriday’ spike ahead of the holiday season. Often, URLs will also contain the name of a popular retailer.
Consumers
should be wary of marketing emails or gift cards that offer substantial
discounts and are perhaps too good to be true. Black Friday weekend, we
recommend consumers not open promotional links or attachments directly from
their inbox to avoid the risk of unintentionally downloading malicious software
onto devices. If the sale proves too enticing, it is best to search for the
promotion directly from a retailer’s official website in order to steer clear
of credential stealing, spoofed domains.
Magecart
As more consumers shop online rather than in-store on Black Friday[2], an upsurge in online purchases means millions of consumers will enter their payment card details online, presenting an attractive target for cybercriminals. They are increasingly targeting e-commerce sites with digital skimmers that exfiltrate payment card data, a technique known as Magecart.
Magecart has
been known to target content management systems (CMSs) like Magento, OpenCart,
OSCommerce, and PrismRBS.
Figure 3: Orpheus’ repository of intelligence reports highlights an increase in Magecart reporting in 2019.
Magecart has been used to target major brands like Ticketmaster, British Airways, and Sotheby’s. In July alone, over 900 e-commerce websites were compromised in a Magecart campaign that targeted both small and large retailers. Magecart’s increase in popularity among cybercriminals in part reflects its accessibility on cybercriminal forums, and has been used to target third party suppliers in order to infect a greater number of webpages and increase profitability.
Figure 4: A forum user posts a deobfuscated version of Magecart, instructing others on how to customize it.
Magecart
infections often go unnoticed for long periods of time, with the latest
Magecart incident targeting a popular US beauty retailer remaining undetected
for six months.
This year we
anticipate an increase in targeting ahead of the busy shopping weekend, with
more cybercriminals using Magecart against a broader array of small and medium
enterprise targets, as bigger organisations may be more aware of the threat and
thus better protected. To mitigate against the Magecart threat, we advise
online retailers to review the security defences of their suppliers and assess
third party scripts running on their payment sites.
Malware-as-a-service
Retailers
aren’t the only ones offering Black Friday discounts on their products. Come
November, cybercriminals promote their own Black Friday and Cyber Monday sales
on deep and dark web forums, advertising fresh card dumps, free VPNs with any
purchase, and discounted botnet packages.
Figure 5: A forum user advertising a Black Friday sale on discounted domains.
Likely additions to the list this year: Malware-as-a-service
(MaaS). MaaS is malicious software available for purchase ‘’off the shelf’’,
usually basic keyloggers and remote access trojans (RATs) that are used by
unsophisticated actors for information, credential, and financial data theft.
These are often delivered by phishing emails and can present a serious threat
to organisations. For instance, in early October cybercriminals injected a
keylogging code onto a script hosted on Amazon’s content delivery network
(CDN), compromising over 100 sites and potentially thousands of customer
credentials.
Orpheus’s threat-led approach to Cyber Risk Rating can help businesses
small and large mitigate against these Black Friday ‘deals’ by providing a
comprehensive understanding of present threats and vulnerabilities, protecting
both retailers and their supply chains from these festive cybercriminals.
Get our latest cyber intelligence insights straight into your inbox every week
Fill out the short form below to subscribe to our newsletter so that you never miss out on
our cyber intelligence insights and news.
Privacy Overview
This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Strictly Necessary Cookies
These cookies are strictly necessary to provide you with services available through our website and to use some of its features. These must be enabled at all times, so that we can save your preferences.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
If you do not enable Strictly Necessary Cookies, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Please enable Strictly Necessary Cookies first so that we can save your preferences!
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Orpheus is a leading cybersecurity company that offers predictive and actionable intelligence to clients, enabling them to anticipate, prepare for, and respond to cyber threats. Our threat intelligence is used to create threat-led cyber risk ratings, providing a more accurate assessment of risk than just analysing an organisation’s attack surface. Products include; External attack surface management, risk-based vulnerability management, third-party supply chain risk management and cyber threat intelligence.
Request Demo Access
Fill out your details below and we'll be in touch to arrange demo access for you as soon as
possible.