The Zscaler research team has identified several e-commerce traffic trends and cyberattack campaigns being waged against online shoppers. Credit: iStock The holidays are here, and along with the eggnog and tacky sweaters comes the annual spike in phishing, scam, and card skimmer attacks targeting seasonal shoppers – particularly during the Black Friday and Cyber Monday shopping frenzies. Recently, the Zscaler ThreatLabz research team observed lots of malicious activity: some attackers luring victims with emails that offered heavy discounts but led to phishing pages; others injecting malicious code into e-commerce websites to steal credit card information. Zscaler also saw a considerable spike generally in online shopping transactions during this period. This write-up will explain the e-commerce traffic trends and associated cyberattacks that ThreatLabz observed. Traffic Trends Europe and Canada saw a significant jump in shopping transactions starting on Black Friday (November 26th), with e-commerce traffic jumping roughly 50% from the week prior: Zscaler In the United States, with many businesses treating Black Friday as a holiday, the big shopping spike occurred on Cyber Monday (November 29th), with traffic increasing by roughly the same amount: Zscaler Other than Amazon, Kohl’s received the biggest traffic influx in the US, with a significant jump from 3 million to 6 million transactions on Cyber Monday (100%). Transactions to Macy’s also saw a significant jump from 1.4 million to 2.8 million transactions on Cyber Monday (100%). Newly Registered Domain Activity ThreatLabz observed a lot of new domains being registered related to Thanksgiving, Cyber Monday, and Black Friday. Of course, not all of these domains are necessarily malicious. Still, newly registered domains are always suspicious, and one should be careful while accessing them, primarily when domains are related to discounts and deals. Zscaler Fig 3: Newly registered domains (NRDs) seen in the past 30 days. Cyberattack Trends Case 1: Grelos is a skimmer group that has been active for the past 4-5 years, over which time they’ve continued enhancing their attack techniques and infrastructure. This skimmer group was seen targeting e-commerce websites with Cyber Monday deals over the holiday weekend. Below is an example of a Grelos attack, where a genuine website was injected with a malicious skimmer code. When unsuspecting users enter their financial details, attackers capture that information. Zscaler Zscaler Fig 4: E-commerce website with Cyber Monday offerings and injected obfuscated Grelos skimmer. Exfiltration domain: checkoutmodules[.]biz This domain has been previously associated with malicious skimmer activities. Case 2: We observed a site promoting Black Friday sales and offerings injected with obfuscated skimmer code in the following example. Zscaler Zscaler Fig 5: E-commerce website with Black Friday offerings and injected obfuscated skimmer code. In this case, the skimmer stores all the victim’s stolen payment details in the cookie and changes all the extracted HTML field IDs to their own to make it easier for the attackers to store and parse data. Zscaler Fig 6: Extracting HTML field IDs from cookies and replacing them. This stolen data is hidden among general parameters and sent to the attacker to look like benign traffic. Here the key ‘statistic_hash’ holds the encoded stolen payment data. Zscaler Fig 7: Stolen payment data in ‘statistic_hash’ Case 3: Zscale The biggest historical target of skimmer groups has been the Magento platform. But recently, ThreatLabz has started seeing other platforms like WooCommerce also being targeted. In the following example, a WooCommerce-based e-commerce website with offerings related to Cyber Monday is injected with malicious skimmer code. Zscaler Fig 8: WooCommerce-based e-commerce website and injected skimmer code. The skimmer code has anti-debug capabilities and detects if dev tools are opened. The victim’s stolen payment data is sent to the attacker in a base64 encoded format. Zscaler Fig 9: Data exfiltration URL and other fields extracted by the skimmer. Case 4: In addition to injected javascript skimming codes, ThreatLabz also saw redirection to malicious websites from some benign websites. This was achieved by the attackers using an injected malicious code responsible for performing this redirection. Below is an example where a website related to Black Friday deals was injected with malicious code, redirecting victims to other malicious/scam websites. Zscaler Zscaler Fig 10: Website with information on Black Friday deals and injected malicious redirection code. Redirected domain: sdk.expresswayautopr[.]com Conclusion The Zscaler ThreatLabz team actively tracks campaigns targeting online shoppers and provides coverage to ensure that our customers are protected from these kinds of attacks. Users actively engaging in online shopping should follow these basic guidelines to protect their information and money: Use only legitimate e-commerce websites and make sure you are utilizing HTTPS/secure connections Don’t fall for exciting “too good to be true” offers from unknown sources, and be extremely wary of clicking on links or documents from these sources Only download apps from official app stores, such as Google or Apple Back up your documents and media files. You can always go the extra mile by encrypting your files Related content brandpost Sponsored by Zscaler More connected, less secure: Addressing IoT and OT threats to the enterprise A forward-thinking zero trust strategy is necessary to securely manage IoT and OT devices at scale. Effectively protecting networks begins with an honest look at connectivity. By Zscaler Nov 14, 2023 7 mins Security brandpost Sponsored by Zscaler Why you must extend Zero Trust to public cloud workloads Rising to the cloud security challenge: Protecting workloads with Zero Trust principles in an ever-evolving threat landscape. By Dhawal Sharma Nov 08, 2023 7 mins Security brandpost Sponsored by Zscaler Your biggest barriers to digital transformation aren’t technical…they’re cultural Embracing OCM: A paradigm shift in infrastructure and security—putting employees first in 2024. By Gary Parker, CTO in Residence, Zscaler Nov 02, 2023 7 mins Digital Transformation brandpost Sponsored by Zscaler What you need to know about Okta’s security breach The SOC guide to responding and defending against IdP vendor compromise. By Zscaler Oct 25, 2023 11 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe