To lure consumers to these sites, bogus “80% off” sales tags were used as were the trackers used by the legitimate websites. The goal was to make the victim feel that he/she was on a retailer’s real website. The data collected by the bogus sites collect phone numbers that could be used for vishing attacks (voice phishing) or smishing attacks (SMS phishing attacks). These attacks could lead victims to reveal even more personal information such as 2FA codes by pretending to be trusted companies such as e-commerce platforms, or financial institutions.
” (The threat campaign) “leverages the heightened online shopping activity in November, the peak season for Black Friday discounts. (The attackers steal) cardholder data, sensitive authentication data, and personally identifiable information (PII).”-EclecticIQ Research
The threat actor is known as SilkSpecter and it could get access to victim’s accounts without authorization, initiate large, fraudulent transactions, and work around security barriers that have been put in place to protect users. But what is really going on is that the information you are typing on what you believe to be a retailer’s legit website is actually being sent to an external server. That website that you are counting on to be real might be fake. Once you type in your personal data, the information becomes available to the attackers.
Buying a product from a fake website is a good way to give personal data to an attacker. | Image credit-EclecticIQ
The browsers being impacted include Chrome, Safari, Firefox, and Edge. There are some red flags that can warn you in advance. Phishing domains usually use .top, .shop, .store, and .vip. Attackers will sometimes register domain names similar to legit domains in order to try and trick you. This is a technique known as typosquatting. The targets are U.S. and European online shoppers but the fraudulent images for the fake websites are stored in China.
While there are 4,000 malicious domain names, some that were revealed by EclectricIQ include retail names that you are familiar with and probably trust. But these are bogus sites looking to rip you off:
- northfaceblackfriday[.]shop
- lidl-blackfriday-eu[.]shop
- bbw-blackfriday[.]shop
- llbeanblackfridays[.]shop
- dopeblackfriday[.]shop
- wayfareblackfriday[.]com
- makitablackfriday[.]shop
- blackfriday-shoe[.]top
- eu-blochdance[.]shop
- ikea-euonline[.]com
- gardena-eu[.]com
(Web Traffic is being led to fake websites “by infecting legitimate websites with a malicious payload… creating fake product listings and adding metadata that puts these fake listings near the top of search engine rankings for the items, making them an appealing offer for an unsuspecting consumer.”-Satori Threat Intelligence
Be on the lookout for sites that have Black Friday themes or have the word Discount all over the site. Also, remember that list that includes the domains you need to watch out for. A similar report from Satori Threat Intelligence earlier this month found threat actors driving traffic to fake web sites in order to steal personal information. Sound familiar?