Season’s Greetings from Cybercriminals

Cybercrime is on the rise during the holiday season. Cybercriminals take advantage of Black Friday, Cyber Monday, and similar to scam individuals. What can companies and individuals do to protect themselves from the most common seasonal attacks, such as phishing?

9 out of 10 cyberattacks start by clicking on a phishing link

Winter holidays and the time of giving are here. Merchants have started their sales and discounts, such as Black Friday, Cyber Monday, pre-Christmas discounts, etc. The digital world is barely holding on due to the number of ads, e-mail campaigns, pop-up banners, and anything that has to do with sales.

Cybercriminals are also fans of Christmas sales. Conscia’s SOC team has detected a spike in the interest for the so-called “Phishing Kits” on the Dark Web. These are tools anyone can buy and use for their phishing campaign relatively easily. We’ve noticed that most of these kits are also holiday themed. The other proof that cybercriminals are preparing for the holidays is the growth of registering misleading web domains.

While merchants are creating campaigns and are (legitimately) trying to get your attention, cybercriminals are also keeping busy with phishing ads, fake websites, e-mails, etc. Last year, the Slovenian national cybersecurity detection center (SI-CERT) marked 3,177 incidents related to phishing. Even though only 5% of the victims reported damage, it amounted to a whopping 1,45 million euros.

Don’t let phishing attacks ruin your holiday season – read this article and see how you can fight phishing as a company, how phishing attacks work, and how you can protect yourself as an end user.

Typical online scams during the holiday season

Online scams are constantly happening and get more intense during the holiday season. The following tactics are mostly used: phishing e-mails and fake websites of well-known (and local) brands.

These tactics are frequently connected to a criminal’s campaign. For example, a phishing message wants to let the user know that they can click on a link to get a discount. The link leads them to a fake website, which can be an excellent clone of the original one. Mostly, criminals will create a fake landing page where the purchase is made, as this is the easiest way to obtain data for the transaction. More sophisticated ones will invest in cloning the majority of the original website.

There is also a less known, but also efficient way of obtaining money that is worth mentioning. Criminals register websites with very similar names to popular brands, this is a technique called Typosquatting. There are usually many ads hosted on the website by the attackers, and if the site is popular, this can bring them a lot of advertisement money. In most cases, such websites can also contain malware, which can infect the victim’s computer. Such brand abuse is also called brand impersonation, and the result of it can be that the original brand becomes less trustworthy and lose its clients eventually.

Phishing: technical background

Conscia’s SOC is detecting a holiday spirit and discounts on the Dark Web. Cybercriminals offer and buy stolen data (stolen e-mail lists organized by geographic regions, stolen source codes of the merchant’s website, stolen source codes of website clones, phishing kits, etc.).

Dark Web offer. Source: RecordedFuture

The most popular are phishing campaign kits. These enable the attackers to simplify their phishing operations and have built-in verification bypass mechanisms such as 3DS (3-D Secure is a protocol that offers an extra layer of security with web transactions when using a credit or debit card). In Europe, 3DS is a well-established protocol, so having the option to bypass it is important for criminals.

Phishing kit example. Source: RecordedFuture

The next step in a phishing campaign is connecting a fake website to the framework. This enables the criminals to obtain the victim’s data on the fake website, which tries to imitate a legitimate website.

As the victim makes a purchase on such a site or they input their financial data, the data is transferred into the phishing framework.

This is followed by a 3DS verification bypass. While the victim waits for the 3DS verification code, the attackers use the obtained card data and make a purchase at another website. This fraudulent transaction triggers the 3DS verification. As this is done instantly, the victim receives the 3DS verification code for the fraudulent transaction and inputs it into the fake website. The kit automatically saves this code and performs the transaction.

What follows depends on the attacker’s objectives. The victim could have made an online purchase for someone else in another web store or just transferred the money to the attacker. It is important to emphasize that this type of purchase (secured with additional verification) depends on the “victim’s collaboration” each time. The attacker usually doesn’t have a device that displays the verification code (the victim’s phone) and cannot repeat the transaction by themselves despite having obtained the credit card data.

The abuse is simpler if the victim is using a card and a web store where the transactions don’t use the 3DS system (or any other verification method). In this case, the attacker only needs the credit card data.

What can companies do to prevent phishing?

It is extremely difficult to combine a top-notch user experience with top-tier security. Users want the shopping process to be simple and fast. Companies are constantly optimizing the user experience and trying to adapt to the buyer’s expectations. Optimizing frequently leads to compromising security. Additional verifications and confirmations are in the way, and a typical user doesn’t like them. The rush also must be accounted for (“I have to buy this before it sells out before the item is not discounted anymore”), which also contributes to a lower user attention span and not being alert to phishing attempts.

On the other hand, there may be technical reasons to adjust security mechanisms due to a high demand of users, and the transactions would get slowed down.

Cybercriminals understand this very well and take advantage of it. We advise companies to focus the needed attention on security mechanisms in their online stores and to ensure the necessary technical infrastructure to perform online purchases.

It’s true that end users are the most common victims of online scams. However, companies can be damaged by a reduced income and reputation if their clients/customers are victims of phishing attacks involving the brand. That is why it’s in their best interest to keep the consumers informed. We advise companies to notify their users about scams they detect and to report them to the necessary local authorities, which can help by further making the users aware of the threats.

What can users do?

In the fight against online scams, the majority can be done by users. Knowledge and awareness are key. That is why you should:

  • Pay attention to the e-mail sender: the difference can only be in one letter;
  • Pay attention to the e-mail contents: the proper use of English if you expect an email from an English merchant;
  • Pay attention to the offered links inside the e-mail: additionally, check the URL by hovering the mouse over the link. The actual destination site will appear in the bottom left corner – that’s how you check the legitimacy of the link;
  • Pay attention to e-mails that demand personal data;
  • Don’t buy (very) expensive items online or set spending limits;
  • Always check the authenticity of an online store (HTTPS connection, correct domain address), and
  • If possible, don’t purchase items from publicly accessible computers or networks (libraries, coffee shops, hotels…). Use VPNs if you can, or make the purchase from a trustworthy device or network.

How can we help?

NIL, part of Conscia Group, can help companies reduce their online scam risks. When it comes to banks, we can detect if their payment (credit/debit) cards (or the payment cards of their users) appear on the Dark Web to be sold. We also track the registration of fake domains and offer advanced detection of fake websites.

We also publish ThreatInsights newsletter for free, where we emphasize key trends and events in the cyber threat landscape. Signup and receive once a week information about the most important and the newest cyber events and incidents in Europe once per week, including trending vulnerabilities, malware research, and dark web activities.