November shopping – do it the smart way!

Check Point’s Threat Intelligence team highlights the spike in e-commerce threats during the shopping season, and shows how to stay safe

Key findings:

• The amount of e-commerce related phishing websites accessed during the online shopping season has more than doubled since November 2018.
• Links to phishing websites are distributed via email, in the hope of slipping through undetected amid the multitude of legitimate discount offers.
• We show an example of one such scam operation which fakes a leading eyewear brand’s website to attract buyers into dubious purchases.

Preparations for the holidays season are in full swing:  Chinese singles day, Thanksgiving, Black Friday and Cyber Monday are highlighted dates on every retailer’s calendar, and with fewer visitors braving the shopping crowds and increasing numbers going online for their purchases, stores are preparing for an online sales bonanza.

Chinese Singles Day sales in Alibaba totaled $38.4 billion in just 24 hours, an all-time record.

In the US, Cyber Monday online spending is expected to top last year’s record of $7.8 billion according to Adobe Insights.  However, it isn’t just stores and buyers who are getting ready:  threat actors are also organizing their infrastructures to try and grab their share of our holiday spending.

How do threat actors do this?  One popular attack technique is to lure shoppers into visiting fake, specially constructed websites which impersonate legitimate shopping sites. The bad guys can then steal the credit card details entered unwittingly by users, or just directly take your money through PayPal without ever sending the goods that buyers have paid for.

Criminals go phishing

12 months ago, in November 2018, we witnessed a significant increase in the amount of e-commerce related phishing websites being accessed directly, or from links sent via email.  And this year we can already see a similar trend.  With only half of November over and even before the peak of Black Friday and Cyber Monday, use of e-commerce phishing URLs has more than doubled since last November’s peak – in fact, it’s up by 233%.

Figure 1 – e-commerce Phishing URL’s per 100K Malicious Events

Accessing malicious websites is the final stage of a rather complicated multi-stage effort conducted on behalf of the threat actors.

Fake it to make it

The first step for such operations is to register a lookalike domain similar to well-known, legitimate online stores. Domains are the internet textual addresses used to find websites and services on the internet. They need to be registered and each has its owner. A look-alike domain needs to appear close enough to a known domain, to avoid raising the suspicions of prospective customers.

For example, more than 1,700 domains which look similar to the amazon.com domain have been registered in the past six months, like “amaz0n-jp[.]com” meant to give the impression that it is the authentic Japanese amazon site. Some of these domains will be used to deceive people during the coming shopping season.

Figure 2 – Amazon.com look-alike domains

The first malicious use for these domains is as email addresses. Threat actors will use these domains and spam out emails using the fake domain, offering special sales deals.  For example, the following email blocked by our systems this week, offered recipients a special Black-Friday bargain of up to 80% discount on Ray Ban Sunglasses!

Figure 3 – Fake Ray Ban Phishing Email

Cheap sunglasses?

This campaign started on November 7^th and we have seen it sent to thousands of potential victims. While email services have mechanisms to identify large scale spam campaigns, threat actors employ a wide array of techniques to bypass these filters. One example includes utilizing a worldwide network of infected hosts (bots) in order to mass distribute their malicious emails from different locations.

Figure 4 -Spam emails with fake Ray Ban sales campaign

Clicking on the image opens the browser with a fake Ray-Ban website displaying eye-catching offers. The site uses the lookalike domain xwrbs[.]com – rbs (Ray Ban Sunglasses) which is a repeating motif in this scam campaign.

The domain https://rbs.xwrbs[.]com/ sounds like something related to Ray Ban Sunglasses but is not related to the authentic Ray Ban site. The domain was actually only set up a few days before, specifically for this campaign, first used on November 6 2019:

Figure 5 – First resolution of xwrbs.com

And it looks very different from the authentic Ray Ban site:

Figure 6 – Authentic Ray Ban site

On the fake website, the client can then proceed to the payment page to confirm purchase.

The scam site only accepts payment using PayPal:

But if an unwary customer does pay, the sunglasses will probably never arrive …. or at best, a cheap fake might be delivered if the criminals are very generous.

So how can you avoid falling victim to these scam attempts? Our recommendations for safe purchase online are:

1. Verify you are ordering from an authentic source. One way to do this is NOT to click on promotional links n emails, and instead Google your desired retailer and click the link from the Google results page.
2. Beware of “special” offers. An 80% discount on the new iPhone is usually not a reliable or trustworthy purchase opportunity.
3. Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.

Happy and safe holiday shopping!