By Steve Mulhearn, Director of Enhanced Technologies UKI & DACH at Fortinet
With 30% of all retail sales occurring between Black Friday and Christmas Day, it’s safe to say the festive shopping period is upon us. Indeed, since Black Friday and Cyber Monday were first launched in 2005, the retail holiday weekend has become a regular fixture on the annual shopping calendar with brands recouping lost sales, thus generating a significant portion of their annual revenue. According to Adobe Analytics, consumer spending over this period last year achieved 22% year-over-year growth, and 2021 is expected to be even higher.
No such thing as a free lunch
But whenever there’s bargains to be had, cybercriminals are preying on our desire to get a great deal. For example, let’s look at how cybercriminals are using fake Amazon gift card generators to steal cryptocurrency from consumers. The criminals were discovered by Fortinet Labs to be using fake documents to lure shoppers into giving out their personal information, such as credentials for online shopping sites, credit card numbers, and home addresses. A malicious application named Amazon Gift Tool.exe was found in a zip file hosted on a publicly available repository site. Despite not knowing specifically how this tool was viewed by potential shoppers, the scammers most likely promoted the tool as a free Amazon gift card generator.
Clearly, a tool that provides free gift cards does not exist. However, faced with the right con – putting shoppers into what psychologists call a ‘hot state’ – we’re all vulnerable. We don’t think so clearly when we are eager to spend during the Black Friday Cyber Monday frenzy. Losing the ability to do due diligence and the hope of getting something for free can be a compelling lure.
So when a distracted shopper used the fake Amazon gift card generator it rolled out a malicious winlogin.exe that surveyed his/her clipboard. The purpose of the malware was simple. If the shopper tried topping up their cryptocurrency wallet by copying and pasting the wallet address, the malware overwrote the wallet address on the clipboard with its own, resulting in the money potentially going to the fraudster.
Further investigation also found that the malicious winlogin.exe was distributed by a number of ‘Trojan droppers’ – applications that are seen as valuable to the shopper – with compelling names to dupe shoppers, such as Crunchyroll Breaker.exe, Netflix Tools.exe, Multi Gift Tools.exe. These tactics have been scamming people for years but given Amazon’s market pull, this iteration of the scam is particularly inviting.
Another scam FortiGuard Labs has observed more and more involves fake online sites that mimic trusted retail brands. To the untrained eye, these sites look safe but if the shopper isn’t paying attention they can steal the funds and worse still, payment information.
Fortinet recently came across live scams that leveraged the look and feel of global brands and their respective trademarks to compel and lure shoppers into making purchases from their site. These sites mimicked big brands Blink (Amazon), Nespresso and Shimano (to name a few), and were in no way affiliated with the trademark/IP owner. They were familiar only because they adopted the same template over and over in an online game of whack-a-mole – meaning that as soon as one site gets shut down another one immediately pops up somewhere else.
Common Framework
The fake websites observed have the following common traits:
- Recently registered domain names
- All sites are registered with the same registrar
- The urls or internet addresses look a little suspicious, often ending in unusual domain names, such as.TOP and .SHOP (.com is also common)
- They use stolen imagery
- They have many linguistic mistakes
- Social Media buttons lead to dead ends
- Their webhosting providers use content delivery networks (CDN) to hide their identity (via an untraceable IP address)
Milwauketools.shop (Recently registered on 10/21/21)
Milwaukee Tools is a well-known and internationally established tool company that, like most big brands, sells products via authorised retailers online or in shops. Fortinet Labs recently discovered a registered online site, milwauketools[.]shop, that seemed authentic but on closer inspection the warning signals were obvious – a misspelled domain name coupled with very low prices raised alarm bells.
Big discounts, unless it’s for discontinued items, are usually a key indicator of a scam. This kit below is a perfect example – it normally sells for $659 yet it was being advertised for $99. This 85% discount coupled with high-pressure sales tactics claiming that stock is low or demand is high would likely be a successful prompt for an impulse shopper too excited to pay much attention to the deal.
Red Flags
Although the About US and Our Culture sections of this website appeared to be written by someone with a good grasp of English (likely stolen from a legitimate site), the ‘milwauketools’ string revealed a small error, suggesting that this was not related to the official Milwaukee Tools organisation, even though the trademarked logo in the screenshot below had the correct spelling. This suggests that the fraudster was following a template during the creation of this site.
Figure 3. About us page for impersonating site
Figure 5. Official Milwaukeetool.com website. Note they do not sell any products directly.
Another red flag was the domain’s creation date – the 21st of October – which at the time of writing made it less than a month old.
Who are the cybercriminals?
As the registrar of the domains and usage of CDN for these sites allow a high degree of anonymity, it’s difficult to identify who these scammers are and if they are working alone or as part of a larger group.
Secure shopping tips
When shopping this holiday season, it’s important that due diligence is performed, and websites are scrutinised for inconsistencies. Typos and grammatical mistakes can be strong indicators of fraud, and avoid impulse purchases that appear too good to be true. But ultimately, don’t panic. If you feel you have been the victim of a scam, please call your credit card company right away and inform them of a potential scam.
Remember, Black Friday and Cyber Monday scams depend on creating a sense of urgency, using these special shopping days to spur immediate action and grab deals before they are gone. Think before you click.
