Researchers uncover 37,000 fake websites aiming to fool holiday shoppers

Hackers are directly scamming end users with high-volume phishing campaigns

Woman shopping online on a laptop

Security researchers have discovered around 37,000 fake retail websites set up to scam holiday shoppers.

According to the RiskIQ 2020 Black Friday E-commerce Blacklist Threat Report, cyber criminals set up these websites to leverage leading online retailers’ names and consumers’ poor security habits to fool shoppers looking for holiday shopping deals. 

Registering domains that infringe on well-known brands is a common tactic in phishing campaigns and has grown in popularity in recent years due to the opening of thousands of new generic top-level domains (gTLDs), the growth of free and cheap domain registration services, and attack techniques, like domain shadowing, according to the report.

In a query of 20 Fortune 100 companies’ branded terms, RiskIQ’s domain infringement detection revealed 37,000 probable domain infringement instances over two weeks. That’s 1,850 incidents per brand. 

Researchers also found 208 domain infringement events containing only “Black Friday,” “Cyber Monday,” “Boxing Day,” or “Christmas.” New hostnames containing these terms spun up near the Thanksgiving shopping weekend don’t necessarily indicate a legitimate threat, but shoppers should be skeptical of them. 

Looking at five of the top-10 most trafficked sites in the US and UK, RiskIQ found 18,891 blacklisted URLs containing their branded terms. That’s 945 blacklisted URLs per brand.

The researchers also found that hackers have developed apps that spoof legitimate retailers to scam victims. They found 1,654 blacklisted apps containing branded terms in the title or description or 82.7 per brand.

RiskIQ found an average of nearly three blacklisted apps for each brand containing its branded terms and “Black Friday,” “Cyber Monday,” “Boxing Day,” or “Christmas” in the title or description. This shows clear intent by threat actors to leverage the shopping holiday, said researchers.

The report also delved into Magecart web-skimming attacks. Magecart places skimmers on scores of e-commerce sites, including those of global brands, allowing operatives to intercept thousands of consumer credit card records. 

RiskIQ found the average length of a Magecart breach is 22 days. Anyone purchasing on a compromised site during this period is likely a credit card theft victim.

"This year's bad holiday actors will capitalize by using the brand names of leading e-tailers, as well as the poor security habits of consumers," said RiskIQ CEO Lou Manousos. "They'll fool shoppers looking for shopping deals, sales, and coupons by creating fake mobile apps and landing pages." 

Featured Resources

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Evaluate your order-to-cash process

15 recommended metrics to benchmark your O2C operations

Download now

AI 360: Hold, fold, or double down?

How AI can benefit your business

Download now

Getting started with Azure Red Hat OpenShift

A developer’s guide to improving application building and deployment capabilities

Download now

Recommended

Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021
Capcom data breach adds another 40,000 estimated victims
data breaches

Capcom data breach adds another 40,000 estimated victims

13 Jan 2021
What is zero trust?
network security

What is zero trust?

11 Jan 2021

Most Popular

IT retailer faces €10.4m GDPR fine for employee surveillance
General Data Protection Regulation (GDPR)

IT retailer faces €10.4m GDPR fine for employee surveillance

18 Jan 2021
Should IT departments call time on WhatsApp?
communications

Should IT departments call time on WhatsApp?

15 Jan 2021
BT faces £600m class-action lawsuit for 'overcharging'
Policy & legislation

BT faces £600m class-action lawsuit for 'overcharging'

18 Jan 2021