Holiday Shoppers Once Again Scrooged By Cyberattacks

BrandPost By Zscaler
Dec 09, 2021
IT LeadershipZero Trust

The Zscaler research team has identified several e-commerce traffic trends and cyberattack campaigns being waged against online shoppers.

article 11 image
Credit: iStock

The holidays are here, and along with the eggnog and tacky sweaters comes the annual spike in phishing, scam, and card skimmer attacks targeting seasonal shoppers – particularly during the Black Friday and Cyber Monday shopping frenzies.

Recently, the Zscaler ThreatLabz research team observed lots of malicious activity: some attackers luring victims with emails that offered heavy discounts but led to phishing pages; others injecting malicious code into e-commerce websites to steal credit card information. Zscaler also saw a considerable spike generally in online shopping transactions during this period.

This write-up will explain the e-commerce traffic trends and associated cyberattacks that ThreatLabz observed.

Traffic Trends

Europe and Canada saw a significant jump in shopping transactions starting on Black Friday (November 26th), with e-commerce traffic jumping roughly 50% from the week prior:

fig 1 Zscaler

In the United States, with many businesses treating Black Friday as a holiday, the big shopping spike occurred on Cyber Monday (November 29th), with traffic increasing by roughly the same amount:

fig 2 Zscaler

Other than Amazon, Kohl’s received the biggest traffic influx in the US, with a significant jump from 3 million to 6 million transactions on Cyber Monday (100%). Transactions to Macy’s also saw a significant jump from 1.4 million to 2.8 million transactions on Cyber Monday (100%).

Newly Registered Domain Activity

ThreatLabz observed a lot of new domains being registered related to Thanksgiving, Cyber Monday, and Black Friday. Of course, not all of these domains are necessarily malicious. Still, newly registered domains are always suspicious, and one should be careful while accessing them, primarily when domains are related to discounts and deals.

fig 3 Zscaler

Fig 3: Newly registered domains (NRDs) seen in the past 30 days.

Cyberattack Trends

Case 1:

Grelos is a skimmer group that has been active for the past 4-5 years, over which time they’ve continued enhancing their attack techniques and infrastructure. This skimmer group was seen targeting e-commerce websites with Cyber Monday deals over the holiday weekend.

Below is an example of a Grelos attack, where a genuine website was injected with a malicious skimmer code. When unsuspecting users enter their financial details, attackers capture that information.

fig 4 Zscaler 
fig 5 Zscaler

Fig 4: E-commerce website with Cyber Monday offerings and injected obfuscated Grelos skimmer.

Exfiltration domain: checkoutmodules[.]biz

This domain has been previously associated with malicious skimmer activities.

Case 2:

We observed a site promoting Black Friday sales and offerings injected with obfuscated skimmer code in the following example.

fig 6 Zscaler
fig 7 Zscaler

 Fig 5: E-commerce website with Black Friday offerings and injected obfuscated skimmer code.

In this case, the skimmer stores all the victim’s stolen payment details in the cookie and changes all the extracted HTML field IDs to their own to make it easier for the attackers to store and parse data.

fig 8 Zscaler

Fig 6: Extracting HTML field IDs from cookies and replacing them.

This stolen data is hidden among general parameters and sent to the attacker to look like benign traffic. Here the key ‘statistic_hash’ holds the encoded stolen payment data.

fig 9 Zscaler

Fig 7: Stolen payment data in ‘statistic_hash’

Case 3:


The biggest historical target of skimmer groups has been the Magento platform. But recently, ThreatLabz has started seeing other platforms like WooCommerce also being targeted. In the following example, a WooCommerce-based e-commerce website with offerings related to Cyber Monday is injected with malicious skimmer code.

fig 10 Zscaler

Fig 8: WooCommerce-based e-commerce website and injected skimmer code.

The skimmer code has anti-debug capabilities and detects if dev tools are opened. The victim’s stolen payment data is sent to the attacker in a base64 encoded format.

fig 11 Zscaler

Fig 9: Data exfiltration URL and other fields extracted by the skimmer.

Case 4:

In addition to injected javascript skimming codes, ThreatLabz also saw redirection to malicious websites from some benign websites. This was achieved by the attackers using an injected malicious code responsible for performing this redirection.

Below is an example where a website related to Black Friday deals was injected with malicious code, redirecting victims to other malicious/scam websites.

fig 12 Zscaler
fig 13 Zscaler

Fig 10: Website with information on Black Friday deals and injected malicious redirection code.

Redirected domain: sdk.expresswayautopr[.]com



The Zscaler ThreatLabz team actively tracks campaigns targeting online shoppers and provides coverage to ensure that our customers are protected from these kinds of attacks.

Users actively engaging in online shopping should follow these basic guidelines to protect their information and money:

  • Use only legitimate e-commerce websites and make sure you are utilizing HTTPS/secure connections
  • Don’t fall for exciting “too good to be true” offers from unknown sources, and be extremely wary of clicking on links or documents from these sources
  • Only download apps from official app stores, such as Google or Apple
  • Back up your documents and media files. You can always go the extra mile by encrypting your files