Site icon Check Point Blog

Number of Malicious Shopping Websites Jumps 178% ahead of November e-Shopping Holidays, Breaking Records

Highlights:

 

Background

Holiday season is right around the corner, and the month of November presents a shopping extravaganza, especially for those of us who love online shopping. In Asia Pacific, Australia’s Click Frenzy just past on November 9, China’s Single’s Day just passed on November 11, and coming up we have Black Friday and Cyber Monday in the United States.

The pandemic has resulted in clear change in habits, and shopping is no different, with most people moving to online shopping, resulting in a boom in e-retail. Retailers are only too happy to leverage this trend and the opportunity offered by special shopping days. This year, online holiday shopping is expected to reach a record $910 billion in sales.

However, amidst the buzz and excitement, threat actors are also prepping themselves to leverage the events for their own malicious purposes.

 

Sharp increase in new shopping-related malicious websites

Since the beginning of October 2021, CPR researchers witnessed the highest amount of malicious websites related to shopping and sales offers. On average, over 5300 different websites per week were spotted, marking a 178% increase, compared to the average in 2021, thus far.

Figure 1: Sharp increase in malicious shopping websites (Jan – November 2021)

The global impact of these websites has peaked since beginning of November, with 1 out of 38 corporate networks being impacted, on average per week, compared to 1 in 47 in October, and 1 in 352 earlier in 2021.

 

Not exactly the handbag I was looking for

CPR discovered a number of similar emails sent from “Cheap HandBags” or “Michael Kors” (with unrelated email addresses), containing subject lines such as:

“Fashion MK Handbags 85% Off Shop Online Today”

“Up to 80% OFF Michael Kors HandBags on Sale, High Fashion, Low Prices”

“Shop All Michael Kors Handbags, Purses & Wallets Up To 70%”

 

Figure 2 and 3: Emails allegedly from Michael Kors:

 

Each had a link to a similar website, with similar names, and were registered on similar dates (mainly October 19, 2021).

www[.]lmksb[.]com

www[.]lmkso[.]com

www[.]lmksz[.]com

 

Further investigations showed at least 7 additional similar domains, where all were active under the ip range of 104.21.xxx.xxx, and are currently unavailable. Their main activity was seen from the second half of October for a few days, and some were active up to the second week of November.

lmksa[.]com

lmksc[.]com

lmksd[.]com

lmkse[.]com

lmkss[.]com

lmksv[.]com

lmksx[.]com

 

Below is an example of how the websites looked, with a price tag much lower than expected prices. This is possibly fraudulent merchandise, or a scam to get the payment and not deliver the bag.

Figure 4: Fraudulent impersonation of Michael Kors website

 

Be careful where you log into

Another possible threat are fake login websites for online shopping websites that could lead to stolen user credentials. For example, CPR discovered an email sent from “Amazon. Urgent notice” (but from an email address with a Chinese domain) and a subject in Japanese saying “System Notification: Unfortunately, we were unable to renew your Аmazon account” (translated from Japanese). The link in the email led to a website masquerading as the Amazom.co.jp website in both name and the look: https://www[.]amazon-co-jp[.]fo2j.top/

 

Figure 5: Impersonation of Amazon Japan

 

How to have a threat free shopping experience

Here are our recommendations and tips to secure your online shopping experience this November:

The statistics and data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research – The intelligence & Research Arm of Check Point Software.

 

Exit mobile version