Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Black Friday Deals On Malware & Scams

November 27, 2015 - 5 min read
The holiday season means different things to a lot of people. For some, it’s a time for family and extravagant meals. For others, it’s a time for charity and giving more than your best to your partner. Yet for others still...it’s time to shop. Black Friday is once again upon us. That magical time of the year when we take to the high street or internet, hoping to find a good deal on that new device you’ve been window shopping for the last month. Users beware! There is more harm than good that can be done from clicking on what appears to be a good deal. During this time of the year, the internet runs amok with an increase of phishing and scam websites looking to exploit your consumer instincts.

The Zscaler ThreatLabZ team has been monitoring a subset of opt-in data to discover a correlation between shopping activity and scams. As an effect of increased shopping behavior, we've observed a steady number of scams clicked on by users. Scammers take notice of trending topics as well and us consumer’s impaired judgement to cast a wide net of phishing, fraud, and scam attacks meant to capitalize on the shopping season. Whether you are using a mobile device or your home PC, the uptick in shopping trends remains relevant.

As shown in the graphs, the trend in phishing activity tends to rise with the amount of online shopping traffic, which comes with the added risk of scammers taking advantage of a consumers better judgement.

Vawtrak Botnet Scam

Our first case study illustrates the danger of these fraudulent deals. The botnet, Vawtrak (also known as NeverQuest and Snifula), is a powerful information stealing backdoor Trojan that has been gaining momentum over past few months. It primarily targets user's bank account via online banking websites. We’ve come across numerous reports, where users begin the infection cycle through spam e-mails promising a sales deal. This case appears to be no different, as we see the Pony Trojan Downloader being leveraged to download the Vawtrak payload.
  • salesdeal.magentochile[.]cl/f1.exe
VirusTotal has this threat marked as a fairly well known sample with a score of 32/55 at the time of research. Vawtrak is a treacherous botnet that is known to target the user’s saved banking credentials or even keylog for other passwords. Vawtrak achieves this by manipulating key Windows processes and lowering security settings to ensure that its Command and Control traffic can be reached.

Savvy users that suspect themselves to be afflicted with this threat should look for similar suspicious files:
  • C:\Users\[COMPUTERNAME]\AppData\Local\Temp\~DFECDDE19F2005BD31.TMP
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Kapag
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.dll
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.exe
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Qucuz
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Sofolq
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\Uoqet
  • C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\YidaLboz
The folder name in the ‘Local’ Directory will be named randomly. The fastest option to make sure you are targeting the right directory is to have a quick look at what programs are AutoStarting in the registry. In this instance, the following location was observed:
  • HKU\[USER-ID]\Software\Microsoft\Windows\CurrentVersion\Run\WopuVdax: "regsvr32.exe "C:\Users\[COMPUTERNAME]\AppData\Local\SuyaDruj\KuhaKqigd.dll""
Once the infection is successful, the Internet Settings are lowered to accommodate suspicious beaconing activity. The following was observed in our execution of the malicious sample:
  • HKU\S-1-5-21-4274511564-889519498-3811658521-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000000
  • HKU\S-1-5-21-4274511564-889519498-3811658521-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500: 0x00000003
 Upon successful manipulation of the Internet Settings, command and control attempts are made.
The threat responds with a list of locations to fetch configuration files as well as other malicious payloads. In the instance we observed, we received the keylogging Botnet, NetWired.

NetWired leaves two files actively running which beacon to suspicious destinations. These processes collect and exfiltrate stolen data to the threat actors.
The NetWired botnet communicates with the following server IPs from our research:
  • 109[.]163[.]226[.]153
  • 213[.]152[.]162[.]99
  • 31[.]184[.]194[.]138
  • 46[.]161[.]1[.]172
  • 46[.]165[.]208[.]108
  • 46[.]20[.]33[.]82
  • 62[.]102[.]148[.]181
  • 95[.]211[.]229[.]148

Free iPhone6 scams

Lots of scam sites are offering a free iPhone 6 to lure victims into click fraud attacks. Scam sites also ask for personal information like phone number, address, or e-mail address. Victims end up losing their personal information that can be further leveraged into future scams. The below screenshot shows scammers doing their best to make a site look like an official Apple site.
Some scams also ask for shipping fees to collect additional funds as well as sensitive information.
Scammers leverage brand names to provide an air of legitimacy to their scam websites. Some examples we have seen:
  • http[:]//apple[.]com[-]freegiveaway[.]com
  • http[:]//applestore[.]officialfreegiveway[.]com/
  • http[:]//facebook[.]officialfreegiveway[.]com/
  • http[:]//8sd5ug[.]getafreeiphone6splustoday[.]com/
  • http[:]//giveaways[.]xyz/iphone[-]giveaway/
  • http[:]//iphone6[.]howtogetafree[.]eu/
We recently covered a fake app offering early access to Amazon.com Black Friday and Cyber Monday offers and deals. With the rise in mobile device usage for browsing and shopping activities, we expect to see more and more instances of such fake applications with exciting offers targeting mobile users.

How can online shoppers protect themselves?

Thanksgiving marks the start of the holiday shopping season which continues through Christmas. The Zscaler ThreatLabZ team is working around the clock to ensure that our customers do not fall prey to such malicious activity.

We highly recommend that all online shoppers exercise extreme caution and follow our holiday season shopping security checklist:
  • Inspect the source of emails with enticing shopping deals. Be wary of any suspicious attachments
  • Steer clear of unofficial mobile application stores
  • Ensure HTTPS/secure connections to online retailers and banking sites
  • Check the authenticity of the URL or website address before clicking on a link
  • Stay away from e-mailed invoices - this is often a social engineering technique used by cyber criminals
  • Do not use insecure public WiFi for shopping
  • Use two-factor authentication whenever possible especially on sensitive accounts such as those used for banking
  • Always ensure that your operating system and web browser have the latest security patches installed
  • Use browser add-ons like Adblock Plus to block popups and potential malvertisements
  • Backup your documents and media files
  • Review the Identity Theft Guide and FAQ from the Federal Trade Commission.
Wishing you all a very Happy Thanksgiving!
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.