How to Avoid 2020 Online Shopping Threats

The shopping season is upon us and as in previous years, cybercriminals are preparing multiple ways to target the online shopping community, including phishing attempts to steal financial details, malspam campaigns distributing malware and more. In fact, while examining the credit card trade in the Dark Web during 2019, we discovered that the highest number of stolen cards offered for sale on dedicated marketplaces was in November 2019 with over 32M cards, although we should take in consideration that there are duplications of data, since it is likely that cybercriminals will try to sell the stolen data in multiple marketplaces.

In this post we will provide you with some tips for ensuring a secure shopping spree and we will also take a look at recent attacks and how attack groups operate to target online shoppers and vendors.

Are you shopping online this season? Here are essential Do’s and Don’ts for you:

  • Be extra aware of phishing attacks, especially with emails requesting you to verify or update your account details, register to get a free item or a coupon, etc.
  • Verify the URL address of the platform you are about to buy from – make sure the URL address of the official website of the desired brand.
  • Check that the platform you are shopping on to purchase goods is secured – look for an HTTPS URL, a trusted certificate, etc.
  • Do not open attachments sent from unknown sources, especially ones requesting to enable macro or editing permissions in order to open them.
  • Avoid clicking on ads of any kind, especially during the shopping season.
  • Do not download apps from unofficial App stores, especially shopping-themed apps.
  • Check apps permissions and update your mobile operating system on a regular basis.
  • Use 2FA or OTP protocols if provided by the service vendor.

What you see isn’t always what you get: Scam Websites and Fake Domains

Fake domains of popular brands can be used in spam or phishing campaigns that are carried out via mail, SMS, social media platforms and more. In last year’s shopping season, 124,000 suspicious domains were detected, abusing names of 26 brands. The most targeted brands were Apple, Amazon and Target.

This year, we researched how many domains with the word “Amazon” were registered during the first week of November 2020. We detected over 600 of recently registered domains with no official connection to Amazon in their registration details. Although it seems that many of them are not yet “operational”, as they do not lead to an active website, some of them sure look suspicious, for example: verification-amazonservices.com (detected as a phishing website via several AVs), account-verificationamazon.com, amazon-login-verify.com (detected as suspicious by one AV) and even amazon-black-friday.com (first created in 2010 and is being re-registered each year since then).

Scam websites usually use a similar web design and interface to the legitimate online shopping platforms, and therefore it is recommended to check the website’s domain or URL address before purchasing goods using your credit card.

A fake website of Taobao, a Chinese online shopping platform (the upper one) and the legitimate website (bottom)

Keep your systems updated to avoid E-skimming attacks (AKA: Magecart attacks)

E-skimming is one of the most popular ways these days to carry out credit card fraud. Cybercriminals usually exploit a vulnerability in the e-commerce or online payment platform (usually in third parties’ components), in order to inject a malicious code that will capture the user’s credit card data and send it the its operators. Once they hold the data, cybercriminals will probably sell it in the Dark Web or use it to make additional purchases.

Magecart is the name given for this type of attack and to cybercriminals that usually target platforms running outdated versions of Magento (while exploiting flaws, such as CVE-2017-7391 and CVE-2016-4010 in Magento) and use a malicious JavaScript code embedded into the compromised platform. In fact, Magecart attacks are so common that in September 2020, it was reported that approximately 2,000 e-commerce platforms were targeted in one weekend.

Additional ways to carry out e-skimming attacks are by accessing the e-commerce network, using administrative credentials. These can be obtained via phishing, brute-force attacks, or a cross-site scripting attack that redirects users to a malicious website with a JavaScript code. Access to networks of online shopping platforms are also traded on Dark Web forums, allowing threat actors to gain access to databases containing users’ details.

Cybercriminal offers access to a shopping platform on the Dark Web. This can be also used for e-skimming attacks. Source: Verint LUMINAR

Of note, nation-state groups were also spotted using this attack vector in the wild. In July 2020, researchers found that the North Korean group Lazarus was behind a serial of Magecart-style attacks against multiple e-commerce stores around the world.

Therefore, it is vital for organizations that operate online payment platforms to keep them updated and secured. We really can’t stress this enough. It is also recommended to use tools that will help detect such malicious injections and monitor suspicious activities in order to block them on time.

The spamming season: Spam campaigns are used for malware distribution

In the shopping season of 2018, a massive spam campaign distributing Emotet, targeted online shoppers worldwide, especially in North and Latin America and the UK. Emotet is an infamous malware, active since 2014, that was first detected as a banking Trojan, but these days it is often used as a downloader or a dropper for additional Trojans or even ransomware. It is usually distributed via worldwide spam campaigns and malicious attachments that request users to unable Macros. During last year’s shopping season, approximately 130 million malware attacks and ~640,000 ransomware attacks were detected in the US. Based on what we’ve seen in the past few years, it is expected that malware operators will try to lure victims via shopping-themed emails and malicious attachments.

The world goes mobile: The rise in malicious mobile apps

Each year, malicious shopping-themed apps target unaware users during the shopping season, which is why it is recommended to download mobile apps from official platforms and to check the reviews. However, in January 2020, a new Trojan dubbed “Shopper” was spotted leaving fake applications reviews on Google Play, on behalf of the infected device’s owner, leaving users with no trust in apps rating. The Trojan was also detected turning off the Google Play Protect feature, in order to download additional apps without safety checks, using the victim’s Google or Facebook account to register to popular shopping and entertainment apps, spreading advertisements, etc. Infections were spotted worldwide, including in Russia, Brazil and India.

Additional malicious shopping season-themed Android apps were spotted in 2019 luring users with coupons, discounts and other shopping hacks. Some of them were detected sending sensitive information from the infected devices to their operators or containing adware used to spread malicious advertisements.

To conclude, the shopping season is open for all, including cybercriminals who are trying to maximize their gain. Awareness is the key when it comes to what shoppers can do to keep safe, whereas vendors need to take additional measures during these times to avoid financial loss, reputational damage and customer abandonment.

Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)

While monitoring closed platforms that propagate an Islamic State agenda, we detected an initial interest in hacking lessons, focusing on spam and phishing methods. Many discussions in the technical sections of closed platforms affiliated with the Islamic State deal with the implementation of Continue reading “Jihadi Cybercrime (Increasing Interest in Spam and Phishing Methods on Closed Islamic State Platforms)”

HACKoDROID: An Increasing Tendency Toward Smartphone-Based Attacks

New Smartphone technologies have made our lives easier. At the touch of a button, you can call a cab, pay bills, connect with your friends and even reach your personal trainer. On the other hand, the world of hacking and cracking now also has a lot of useful tools to hack your system and steal your data, using a smartphone.

We have recently seen the development and publishing of hack applications for smartphones on underground forums. The wide range of such tools means that anybody can find a suitable tool for dubious purposes. The items available include a variety of DDoS tools, wireless crackers, sniffers, network spoofers and more.

HackForum Post
HackForum Post

Most tools are only available for Android smartphones, and many require root permissions. The most popular tool for cookie theft is DroidSheep. With the help of this tool, an attacker can collect all browsing data, including logins, passwords and more, merely by using the same Wi-Fi network as the victim.

Moreover, the attacker can connect to the victim’s password-protected Wi-Fi network. There are several Wi-Fi cracking tools, for example, WIBR+ uses uploaded password databases to identify passwords common to the victim’s network. The users can also upload and update these databases. Another tool – Wi-Fi Kill – is capable of shutting down any other device connected to the same network and can intercept pictures and webpages recently visited by users of this network.

More and more tools now include more than one hacking capability. The DSploit tool features such functions as password sniffers, cookie sniffers, browsing history sniffers, and webpage redirecting. Another program, Bugtroid, contains cracking and protection applications. The owner can choose the most suitable program from a list and install it in one click. The tool offers a variety of tools to suit almost every cracking purpose.

Sniffers and DDoS Tools
Sniffers and DDoS Tools

For iOS systems, there is a limited number of hacking tools, mostly in the realm of game cracking. Examples of such tools are GameGem and iGameGuardian. These tools break games for the purpose of stealing monetary units. The most common tool for iOS is Metasploit, which contains a number of useful applications for different fields.

The tools presented above are not new, but they represent the main capabilities in the field. We are seeing a growing tendency to use portable devices, such as smartphones and tablets, to conduct attacks in public places. Mobile devices and public Wi-Fi networks tend to be less protected and more vulnerable. With the help of collected data by mobile device, the attackers can perform more complex attacks via PC. As long as there is no protection awareness regarding mobile devices, we expected a continued increase in the number of smartphone-based attacks.

List of Hacking Tools
List of Hacking Tools

Phishers Hide their Hooks in Short URLs

We have recently encountered a more elaborate phishing scheme, one which includes cleverly hidden links.

Some days ago we received an email titled “American Express has an important update for you”. Funny, I don’t recall having an AMEX account… and the email from which the message was sent from was all to suspicious and not connected to AMEX: [communication.4abr7w64haprabracrafray552dreste[at]azurewebsites.net].

Phishing_Email

 

 

Still, I kept reading the message which was all about the new anti-SPAM law:

Effective July 20, 2014, United State’s new anti-spam law comes into effect and American Express wants to ensure that your representative will be able to continue sending you emails and other electronic messages without any interruptions. In addition to messages from your representative, we may also send you other electronic messages, including but not limited to newsletters and surveys as well as information, offers, and promotions regarding our products and services or those of others that we believe you might be interested in (“Electronic Messages”).

The next paragraph contained a request to click an “I Agree” link to express consent to receiving Electronic Messages from AMEX.

The hyperlink points to bit.ly address. Here’s the catch.

We all know that by hovering above a suspicious link we can usually see where it points to, and this is usually different than the link itself (the link could say “americanexpress.com” but hovering above it will show the real address “russianspammers.ru”).

So in this case we cannot simply identify the destination of the link. What can we do?

Simple. Just paste the link address in getlinkinfo.com (or similar service), and voila, you can see the original link (and in this case, with a warning attached).

GelLinkInfo

 

 

 

 

 

So other than the cynical use of anti-SPAM email to actually promote SPAM, the sender cleverly hides the real address inside a URL shortening service, making it more difficult to detect for the unsuspecting eye.

Will Your Toaster Attack You?

Lately, we have been hearing an awful lot about the Internet of Things (IoT).

What this buzzword describes is a world where every device is connected to the Web and communicates with other devices, and us humans, usually via Smartphone interface.

And, to a certain extent, this is an everyday reality, even today – smart TVs, printers, thermostats, and other home appliances are connected to the Web via wireless communication and receive orders from their owners who are often miles away. And, sure enough, this trend has not been overlooked by hackers.

Since each such device now has a unique IP address, Internet connectivity and the ability to send and receive packets of information, hackers can (in theory) connect them, infect them with malware and use them to send traffic – basically anything that can be performed with a regular PC. An evidence that such schemes are being planned and implemented is growing rapidly.

Security research firm Proofpoint recently announced  that they discovered that hackers broke into more than 100,000 gadgets – including TVs, multimedia centers, routers, and at least one fridge – and used the appliances to send out more than 750,000 malicious emails between December 23, 2013 and January 6, 2014 (I guess asking for a Smart TV for Christmas wasn’t such a good idea after all…).

So, while the (now-growing) popular belief is that such appliances can be hacked, tinkered with and turned into malicious machines attacking their human masters is not true, it is very likely that they will be used for all kinds of cyber crime, from sending SPAM, spreading malicious files or participating in DDoS attacks (these are, after all, robots).

Will these appliances attack you?
Will these appliances attack you anytime soon?

Even more interesting are the discussions on various communication platforms regarding the possibilities presented by this trend. References to the above incident were found in Arab media and also on the Facebook page of the famous “Alkrsan” hacker forum. The latter may indicate a rising interest among Arab hackers for this method of cyber-attack.

Reference to IoT hacking at the famous hackers' forum "Alkrsan"
Reference to IoT hacking on the famous hacker forum “Alkrsan”

As for the Russian-speaking Internet, the HabrHabr computer blog published a post entitled “a botnet consisting of ‘smart’ TVs, media centers, PCs and … refrigerators was discovered”.

Generally, news sites refer to this affair as an evolving new threat in the cyber world and lively discussions are being held on closed forums regarding the trend.

Russian computers blog HabrHabr  discusses  IoT hacking
Russian computer blog HabrHabr discusses IoT hacking

So, will your toaster turn against you anytime soon? Not likely. But we have every reason to believe that any device that can be hacked is a legitimate target for hackers and will be breached sooner or later, changing the “Internet of Things” into the “Internet of Vulnerabilities”.