BrandPosts are written and edited by members of our sponsor community. BrandPosts create an opportunity for an individual sponsor to provide insight and commentary from their point-of-view directly to our audience. The editorial team does not participate in the writing or editing of BrandPosts.
The holidays are here, and along with the eggnog and tacky sweaters comes the annual spike in phishing, scam, and card skimmer attacks targeting seasonal shoppers – particularly during the Black Friday and Cyber Monday shopping frenzies.
Recently, the Zscaler ThreatLabz research team observed lots of malicious activity: some attackers luring victims with emails that offered heavy discounts but led to phishing pages; others injecting malicious code into e-commerce websites to steal credit card information. Zscaler also saw a considerable spike generally in online shopping transactions during this period.
This write-up will explain the e-commerce traffic trends and associated cyberattacks that ThreatLabz observed.
Europe and Canada saw a significant jump in shopping transactions starting on Black Friday (November 26th), with e-commerce traffic jumping roughly 50% from the week prior:
In the United States, with many businesses treating Black Friday as a holiday, the big shopping spike occurred on Cyber Monday (November 29th), with traffic increasing by roughly the same amount:
Other than Amazon, Kohl’s received the biggest traffic influx in the US, with a significant jump from 3 million to 6 million transactions on Cyber Monday (100%). Transactions to Macy’s also saw a significant jump from 1.4 million to 2.8 million transactions on Cyber Monday (100%).
Newly Registered Domain Activity
ThreatLabz observed a lot of new domains being registered related to Thanksgiving, Cyber Monday, and Black Friday. Of course, not all of these domains are necessarily malicious. Still, newly registered domains are always suspicious, and one should be careful while accessing them, primarily when domains are related to discounts and deals.
Grelos is a skimmer group that has been active for the past 4-5 years, over which time they’ve continued enhancing their attack techniques and infrastructure. This skimmer group was seen targeting e-commerce websites with Cyber Monday deals over the holiday weekend.
Below is an example of a Grelos attack, where a genuine website was injected with a malicious skimmer code. When unsuspecting users enter their financial details, attackers capture that information.
Exfiltration domain: checkoutmodules[.]biz
This domain has been previously associated with malicious skimmer activities.
We observed a site promoting Black Friday sales and offerings injected with obfuscated skimmer code in the following example.
In this case, the skimmer stores all the victim’s stolen payment details in the cookie and changes all the extracted HTML field IDs to their own to make it easier for the attackers to store and parse data.
This stolen data is hidden among general parameters and sent to the attacker to look like benign traffic. Here the key ‘statistic_hash’ holds the encoded stolen payment data.
The biggest historical target of skimmer groups has been the Magento platform. But recently, ThreatLabz has started seeing other platforms like WooCommerce also being targeted. In the following example, a WooCommerce-based e-commerce website with offerings related to Cyber Monday is injected with malicious skimmer code.
The skimmer code has anti-debug capabilities and detects if dev tools are opened. The victim’s stolen payment data is sent to the attacker in a base64 encoded format.
Below is an example where a website related to Black Friday deals was injected with malicious code, redirecting victims to other malicious/scam websites.
Redirected domain: sdk.expresswayautopr[.]com
The Zscaler ThreatLabz team actively tracks campaigns targeting online shoppers and provides coverage to ensure that our customers are protected from these kinds of attacks.
Users actively engaging in online shopping should follow these basic guidelines to protect their information and money:
Use only legitimate e-commerce websites and make sure you are utilizing HTTPS/secure connections
Don’t fall for exciting “too good to be true” offers from unknown sources, and be extremely wary of clicking on links or documents from these sources
Only download apps from official app stores, such as Google or Apple
Back up your documents and media files. You can always go the extra mile by encrypting your files