Security lessons from 2021 holiday shopping fraud schemes

The holiday shopping season sees vast numbers of people flock online to take advantage of mass sales, most notably during the Black Friday and Cyber Monday period of late November. Cybercriminals are known to significantly expand their efforts to exploit bargain-seeking shoppers during this time in the lead up to Christmas, and 2021 has been no exception.

Research from TransUnion discovered that almost 18% of all global e-commerce transactions between Thanksgiving and Cyber Monday were potentially fraudulent, a 4% increase on the same period last year. Here are four examples of how fraudsters targeted the 2021 holiday shopping season with scams and attacks, along with insight into how retailers can prevent and defend against such activity moving forward.

Phishing-as-a-service activity targets Black Friday shoppers

Email security firm Egress revealed increased phishing-as-a-service (PhaaS) activity imitating major brands in the lead up to and on Black Friday. It discovered a 397% increase in typosquatting domains tied to phishing kits, with a 334.1% increase in phishing kits impersonating Amazon.

Researchers observed almost 4,000 pages imitating the retail giant and detailed an example of a phishing email distributed on Black Friday offering fake Amazon promotions. This attempted to lure recipients into completing an attached form to receive a coupon. Further analysis revealed that the attachment contained XBAgent malware.

“PhaaS has lowered the barriers to entry for cybercriminals, making it easy to impersonate well-known brands and trick victims. The recent increase in the number of phishing kits listed for sale highlights the criminals’ appetite for carrying out attacks during busy shopping periods,” stated Egress VP of threat intelligence Jack Chapman in a press release.

How retailers should respond to phishing campaigns

 Speaking to CSO, Egress CEO Tony Pepper highlights the important role retailers must play in defending against phishing campaigns of this kind. “I’d like to see more retailers proactively informing their customers of what they should expect from them when it comes to email communication,” he says. “It can be as simple as providing guidance on their website and social media channels about what email domains they use, and how they’ll usually contact their customers, alongside the more general advice around how to spot and report a phishing email.”

Retailers also need to respond to the trend whereby cybercriminals exploit vulnerabilities in websites to hack in and build their own fraudulent pages for collecting credentials. “In a recent case involving UPS, hackers were able to build a page within the real UPS website, which was then used in phishing attacks,” says Pepper. “Because the link was technically legitimate, it was almost impossible for the recipient to know that they were being duped. Retailers have a responsibility to ensure that vulnerabilities are identified and patched so that their website can’t become a tool for cybercriminals.”

Bait-and-switch scheme lures shoppers to fraudulent sites

Another notable fraud tactic detected this holiday shopping season is a type of “bait-and-switch” scheme designed to trick victims into thinking they’re getting great deals via an online comparison site, only for them to be directed to a phony website that collects their information, says head of financial crime and fraud prevention at D4t4 Solutions Serpil Hall. “Once victims fill out forms and register their interest, someone from the fake website calls them, gets their card details, and soon after disappears with their money. The victim gets scammed, the card details are used elsewhere for other purchases, and the great deal made over the phone never materializes,” Hall tells CSO.

When fraudsters get their hands on card details, they often take them for a test drive with big merchants, making a small purchase to test out the info they’ve obtained, before moving on to make bigger purchases, Hall adds. “Soon after the confirmation, they call the merchant’s customer support and change the delivery address to a very convenient pick-up address. The victim eventually realizes that there is fraud on their card and makes a complaint to their bank, forcing the merchant to bare the losses.”

How retailers should respond to bait-and-switch scams

To prevent this type of fraud, retailers need to adopt strategies and technologies that catch fraudsters in real-time, Hall says. “Using advanced machine-learning algorithms, merchants should move to identifying fraudulent transactions using unique identifiers like IP geolocation, email addresses, and postal addresses. However, fraud prevention is not limited to these methods, and real-time mechanisms that auto decline high-risk orders, as well as send risk signals for new account fraud and account takeover cases are also required.”

Behavioral biometrics grant merchants this capability by constantly measuring the way in which consumers swipe on their devices, how they hold their devices, specific keystroke patterns, device movements, and more. Using this data, merchants can understand when digital patterns diverge from past behavior – potentially indicating a compromised account – and take immediate action to stop fraudulent activity dead in its tracks.

Checkout abuse and inventory hoarding skews market trends

Given the nature of the discount-heavy holiday shopping period, the market is increasingly saturated with many retailers – and fraudsters – wanting a slice of the cake, says Ping Identity’s head of fraud Alasdair Rambaud. As a result, checkout abuse (the e-commerce equivalent of ticket scalping) is highly likely to have taken place, he tells CSO. “Fraudsters use an automated script to buy a volume of high-end, limited-edition products in minutes or seconds, depleting legitimate merchants’ inventories. They then resell those items for much higher prices.”

Similarly, inventory hoarding – the process of using bots to put products in shopping carts, skewing inventory data and making products appear to be out of stock – has also been doing the rounds, Rambaud adds. “Bots can wipe out inventory of an item in as little as two seconds.” The fact is that e-commerce is here to stay, and now it’s time for retailers and brands to have a steadfast strategy when it comes to this type of fraud – failure to do so will lead to reputational damage, he says.

How retailers should respond to checkout abuse and inventory fraud

“Retailers need to understand the scope of account takeovers, new account fraud, and other fraud attacks.” This involves analyzing movements and behaviors – looking for non-human trends with regards to keystrokes, scrolling, mouse movement, and touchscreen interaction.

Magecart card skimming attacks target WooCommerce

Card skimming is a common fraud tactic that targets online purchases. It works by injecting malicious code into e-commerce sites that skims online payment forms. This style of attack first came to prominence against e-commerce platform Magento, with numerous criminal groups subsequently turning to card skimming tactics to steal payment card details.

One such group is Magecart, and research from RiskIQ has identified new attacks taking advantage of potential vulnerabilities and weaknesses in WooCommerce (an open-source WordPress plugin widely used by online retailers) during the latest holiday shopping period. In a blog post, the cyberthreat intelligence company detailed three new Magecart skimmers it has identified targeting retailers using the WooCommerce plugin. These are:

• The WooTheme Skimmer: Detected across five domains using a compromised WooCommerce theme, this skimmer is “relatively simplistic and makes its functionality reasonably easy to understand,” RiskIQ said. Operators obfuscated the skimming code in all discovered iterations, except one. However, this one instance appears to be in error, as RiskIQ detected the obfuscated skimmer on the same compromised domain before the clear text version appeared

• The Slect Skimmer: In this case, a spelling error of the word ‘select’ in the script revealed a never-before-seen skimmer which does two interesting things once the DOM content is fully loaded, RiskIQ explained. “It will look for a series of form fields that the skimmer does not want to pull data from, such as open text fields, passwords and checkboxes. Next, an event listener listens for a click on a button, likely to evade sandboxing by security researchers.” The exfil domain found within the skimmer has been previously associated with other Magecart infrastructure.

• The Gateway Skimmer: This skimmer was piled high with multiple layers and steps taken by the actor to hide and obfuscate processes, Risk IQ said. “The skimmer code is massive and difficult to digest while obfuscated and runs a few unique functions observed in other skimmers”

How retailers should respond to card skimming

While in the thick of the holiday season, an increase in e-commerce targeting puts retailers and online shoppers particularly at risk of card skimming, RiskIQ’s blog read. “WooCommerce users are often small and medium-sized businesses, sometimes considered the most vulnerable, as they lack resources for complex and highly-vetted third-party tools.” However, as evidenced over the years, both small and large retailers can be the targets of Magecart skimming. “Beyond having robust detections for malware, website operations should regularly inspect their crontab commands for strange contents, ensure that access permissions are correct, and audit file access to it,” RiskIQ added.