It’s that time of year again! The most glorious of shopping seasons has arrived, and users have commenced their annual tradition of flooding e-stores in search of the best deals that their money can buy. Threat actors, keen to take advantage of increased seasonal shopping activity, are deploying targeted phishing campaigns and site skimmers in the hopes of cashing in. The spectrum of attacks is reaching users in nearly all aspects of their online presence. Email, tweets, and websites are all vehicles of abuse. Zscaler has seen a steady rise in phishing attacks leading up to Black Friday and Cyber Monday, and we'll provide an overview of them here.
Fig. 1: Malicious activities from mid-October through mid-November. The turquoise bars represent targeted phishing attacks.
Examining one of the targeted phishing campaigns illustrates the need for caution when shopping online. The faked Amazon screen provides the perfect example, because Amazon is probably the most prolific online shopping site used during the holidays. Aside from the address bar, it's a relatively good knock-off.
Fig. 2: Faked Amazon sign-in form.
This attack doesn’t stop at compromising your Amazon credentials. This site also wants your credit card information!
Fig. 3: Faked Amazon billing page.
A closer look at this attack shows that the attackers don’t even have the decency to encrypt your stolen credentials.
Fig. 4: Wireshark exposes the packets moving between client and server over HTTP.
The best defense is to always be conscious of the address bar. A store like Amazon is never going to ask you for sensitive information away from the Amazon site.
More information about this type of attack is detailed in another blog. Despite several security vendors taking notice, users are still being impacted daily. An updated chart on MageCart hits since our September 28 blog shows that this advanced attack is not stopping anytime soon.
Fig. 5: MageCart activity between September 20 and November 15.
Fig. 6: An online shopping aggregator linking to Amazon, but redirecting user's to mine Monero Cryptocurrency
Fig. 7: Coinhive injection script will use the user's system resources to mine the cryptocurrency, Monero.
The ThreatLabZ team at Zscaler works diligently to ensure that customers do not fall victim to malicious activities described above. Users should be cautious and protect themselves by reviewing our security checklist, particularly during the shopping season:
Wishing you all a very happy, healthy, and safe Thanksgiving!
Zscaler™, Zscaler Internet Access™, Zscaler Private Access™, ZIA™ and ZPA™ are either (i) registered trademarks or service marks or (ii) trademarks or service marks of Zscaler, Inc. in the United States and/or other countries. Any other trademarks are the property of their respective owners.