As Black Friday and Cyber Monday, the biggest shopping days of the year, are just behind us, Zscaler has noticed that the attackers have taken advantage of this holiday activity for their targeted cybercrimes. This year has been unprecedented especially with everyone staying home because of Covid-19 and involving in more online shopping that has never seen previously.
Zscaler cloud on an average processes around 130 billion customer transactions daily, and this gives us an insight into activity trends happening across the internet. Since the beginning of this month, we have noticed an increase in online shopping activity leading up to the holidays. We especially noticed a significant uptick in this activity on Cyber Monday (11/30) as expected.
Figure 1: Shopping transactions on Zscaler cloud seen increasing from 750 million to 1.13 billion from the first week of this month.
Cyber Monday and Black Friday have always been a target for cyber criminals in many different ways including phishing, scams and also by compromising e-commerce websites for injecting malicious card skimmers to steal payment card information. Card skimmer groups remain active throughout the year and during the holidays a spike in such attacks are a norm. ThreatLabz researchers have been monitoring this sudden spike in cyber attacks during the weeks leading to Cyber Monday previous years as well. In this section, we will discuss some of the card skimmer attacks that our team has seen in the wild.
1. While monitoring attacks related to the Cyber Monday and Black Friday ThreatLabz team came across an online footwear store offering discounts for Cyber Monday and was infected with a card skimmer.
Figure 2: e-commerce store offering Cyber Monday sale.
Figure 3: Injected obfuscated skimmer script.
Data exfiltration URL: 103.139.113[.]34/check_error.php?discounts=
Following are other similar e-commerce websites related to footwear, using the same theme and are infected with the above discussed skimmer.
2. Skimmer groups most of the time use newly registered domains, lexically close to any web service or web analytics service in order to remain undetected for long and infect multiple e-commerce websites. ThreatLabz researchers have recently seen such newly registered domains used by skimmer groups to infect e-commerce stores offering Cyber Monday and Black Friday sale and one such is discussed below.
Figure 4: e-commerce website offering Black Friday sale.
The skimmer script injected into the e-commerce website is hosted on a newly registered domain and is highlighted below.
Figure 5: Obfuscated malicious script injected to the e-commerce store.
Skimmer Domain: googleplus[.]name
Creation Date: 2020-11-03
Skimmer script has base-64 encoded fake payment form, which is injected as an iframe at the checkout and the payment card details are sent to the attacker controlled server.
Data exfiltration URL : hxxps://googleplus[.]name/google.php
Figure 6: Base-64 encoded fake payment form.
Figure 7: Skimmer script injected to the legitimate e-commerce website.
Legitimate Domain : giantmicrobes[.]com
Skimmer Domain : giantnicrobes[.]com
Creation date: 2020-10-28
Registrar : NAMECHEAP INC NameCheap, Inc.
Figure 8: Deobfuscated malicious skimmer script
We analyzed more variants of this skimmer script and detected more such targeted attacks. The Cheesecake shop (cheesecake.com[.]au), an online bakery store, was hit by a similar targeted skimmer last month but was cleaned up later on.
Legitimate Domain : cheesecake[.]com[.]au
Skimmer Domain: cneesecaka[.]com
Creation date: 2020-10-20
Registrar : 1API GmbH
The malicious domain cneesecaka[.]com was later used to target multiple other e-commerce websites related to automobile parts, electronics and others.
4. Data exfiltration is also sometimes done via newly registered domains. API services of popular platforms like google analytics and telegram have been seen being utilized in data exfiltration by the attackers. In a few different variants of the above discussed skimmer, we have observed that the stolen data from one compromised Magento site is sent to another compromised Magento site.
Figure 9: Malicious skimmer script injected on the Magento platform
Following is the deobfuscated script with the Gate URL of another e-commerce website.
Figure 10: Deobfuscated malicious skimmer script.
Figure 11: Data exfiltration to another compromised Magento website.
As we have seen over the previous years, attackers use BlackFriday themed domains for phishing user credentials. One such domain we came across is “blackfriday2020[.]pro”, hosting a login page. The same login page was previously seen on multiple sites, according to urlscan.
Figure 12: Multiple sites hosting the same login page
Black Friday offers are also huge all over the world. Jumia[.]com[.]ng is an online marketplace based out of Nigeria. The image below shows a phishing site (jumia-blackfridayoffers[.]com) claiming to offer Black Friday deals. Notice the absence of a valid certificate. The legitimate vendor domain is registered to "Ecart Internet Services Nigeria Limited".
Figure 13: Phishing page mimicking Jumia marketplace.
Targeting Sport Fans
Fans of various sports and their teams should be cautious while purchasing their favorite team/player jersey online. We have noticed multiple domains recently registered specifically for scamming the sports’ fans of MLB, NCAA, NHL, NBA, NFL, and more. A snapshot of some of these domains can be seen below.
Figure 14: New Registered Domains related to sports jerseys
Zscaler ThreatLabZ team actively tracks campaigns targeting online shoppers and provides coverage to ensure that our customers are protected from these kinds of attacks.
Even though Black Friday and Cyber Monday are behind us, most of the holiday sales continue till the end of this week (Cyber Week). Users actively engaging in online shopping should be cautious and follow basic safe guidelines to protect their information & money while purchasing anything online: