Tuesday 12th November 2019

Black Friday Highs and Woes: how cybercriminals exploit this season’s best deals

With over 165 million people shopping over Black Friday weekend last year [1], retailers are gearing up to advertise this year’s newest promotions. Unfortunately, so are cybercriminals. In this blog piece we look ahead to some of the types of activity we anticipate.

 We anticipate this: an uptick in legitimate promotional content allows cybercriminals to target unsuspecting shoppers with spam emails masquerading as discounts and sales from brand-name retailers, with the potential to harvest payment card information or infect victims’ computers with malware. Once stolen, cybercriminal forums offer their own Black Friday deals on ‘fresh card dumps,’ turning the most wonderful time of the year into a sour affair.

What to expect in 2019:

Seasonal phishing campaigns

Cybercriminals are no strangers to phishing; a technique that typically uses social engineering via email to deliver malicious links or attachments. Phishing remains the most popular and successful infection vector, largely due to its simplicity. Lures vary in sophistication, with basic attempts simply including a malicious link in the body of the email. More advanced lures appear to come from trusted sources within the victim’s network and often include victim-specific details to increase the likelihood of the user inadvertently downloading malware onto their device.

As it is becoming increasingly common for consumers to shop online, cybercriminals need not resort to extensive social engineering methods to cash in high rewards and steal consumer card and payment data. Rather, cybercriminals are likely to engage in high volume and low profit spamming efforts that target consumers already accustomed to receiving weekly retailer marketing emails.

A victim might not think twice about opening a Black Friday related email that contains the name of a well-known brand, promises a substantial discount, and uses similar language to that of legitimate retailers.

Figure 1: An example spam email masquerading as a legitimate promotion.

This time last year we observed a spike in suspected credential phishing pages that contained ‘Black-Friday’ and the name of a retailer in the URL, with 72% of URLs appearing between November 10th and the 27th. We anticipate a similar pattern this year.

Figure 2: URLs containing either ‘black-friday’ or ‘blackfriday’ spike ahead of the holiday season. Often, URLs will also contain the name of a popular retailer.

Consumers should be wary of marketing emails or gift cards that offer substantial discounts and are perhaps too good to be true. Black Friday weekend, we recommend consumers not open promotional links or attachments directly from their inbox to avoid the risk of unintentionally downloading malicious software onto devices. If the sale proves too enticing, it is best to search for the promotion directly from a retailer’s official website in order to steer clear of credential stealing, spoofed domains.


As more consumers shop online rather than in-store on Black Friday[2], an upsurge in online purchases means millions of consumers will enter their payment card details online, presenting an attractive target for cybercriminals. They are increasingly targeting e-commerce sites with digital skimmers that exfiltrate payment card data, a technique known as Magecart.

Magecart has been known to target content management systems (CMSs) like Magento, OpenCart, OSCommerce, and PrismRBS.

Figure 3: Orpheus’ repository of intelligence reports highlights an increase in Magecart reporting in 2019.

Magecart has been used to target major brands like Ticketmaster, British Airways, and Sotheby’s. In July alone, over 900 e-commerce websites were compromised in a Magecart campaign that targeted both small and large retailers. Magecart’s increase in popularity among cybercriminals in part reflects its accessibility on cybercriminal forums, and has been used to target third party suppliers in order to infect a greater number of webpages and increase profitability.

Figure 4: A forum user posts a deobfuscated version of Magecart, instructing others on how to customize it.

Magecart infections often go unnoticed for long periods of time, with the latest Magecart incident targeting a popular US beauty retailer remaining undetected for six months.

This year we anticipate an increase in targeting ahead of the busy shopping weekend, with more cybercriminals using Magecart against a broader array of small and medium enterprise targets, as bigger organisations may be more aware of the threat and thus better protected. To mitigate against the Magecart threat, we advise online retailers to review the security defences of their suppliers and assess third party scripts running on their payment sites.


Retailers aren’t the only ones offering Black Friday discounts on their products. Come November, cybercriminals promote their own Black Friday and Cyber Monday sales on deep and dark web forums, advertising fresh card dumps, free VPNs with any purchase, and discounted botnet packages.

Figure 5: A forum user advertising a Black Friday sale on discounted domains.

Likely additions to the list this year: Malware-as-a-service (MaaS). MaaS is malicious software available for purchase ‘’off the shelf’’, usually basic keyloggers and remote access trojans (RATs) that are used by unsophisticated actors for information, credential, and financial data theft. These are often delivered by phishing emails and can present a serious threat to organisations. For instance, in early October cybercriminals injected a keylogging code onto a script hosted on Amazon’s content delivery network (CDN), compromising over 100 sites and potentially thousands of customer credentials. 

Orpheus’s threat-led approach to Cyber Risk Rating can help businesses small and large mitigate against these Black Friday ‘deals’ by providing a comprehensive understanding of present threats and vulnerabilities, protecting both retailers and their supply chains from these festive cybercriminals.

[1] https://www.forbes.com/sites/nikkibaird/2018/11/28/every-result-you-need-to-know-about-black-friday-cyber-monday-and-holiday-2018-so-far/#efc72264eb59

[2] https://www.businessinsider.com/black-friday-online-shoppers-outnumbered-in-store-2018-11?r=US&IR=T

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.