Highlights:
- Check Point Research (CPR) spots over 5300 different malicious websites per week, marking the highest since the beginning of 2021
- Numbers show a 178% increase compared to 2021 so far
- 1 out of 38 corporate networks are being impacted on average per week in November, compared to 1 in 47 in October, and 1 in 352 earlier in 2021
Background
Holiday season is right around the corner, and the month of November presents a shopping extravaganza, especially for those of us who love online shopping. In Asia Pacific, Australia’s Click Frenzy just past on November 9, China’s Single’s Day just passed on November 11, and coming up we have Black Friday and Cyber Monday in the United States.
The pandemic has resulted in clear change in habits, and shopping is no different, with most people moving to online shopping, resulting in a boom in e-retail. Retailers are only too happy to leverage this trend and the opportunity offered by special shopping days. This year, online holiday shopping is expected to reach a record $910 billion in sales.
However, amidst the buzz and excitement, threat actors are also prepping themselves to leverage the events for their own malicious purposes.
Sharp increase in new shopping-related malicious websites
Since the beginning of October 2021, CPR researchers witnessed the highest amount of malicious websites related to shopping and sales offers. On average, over 5300 different websites per week were spotted, marking a 178% increase, compared to the average in 2021, thus far.
Figure 1: Sharp increase in malicious shopping websites (Jan – November 2021)
The global impact of these websites has peaked since beginning of November, with 1 out of 38 corporate networks being impacted, on average per week, compared to 1 in 47 in October, and 1 in 352 earlier in 2021.
Not exactly the handbag I was looking for
CPR discovered a number of similar emails sent from “Cheap HandBags” or “Michael Kors” (with unrelated email addresses), containing subject lines such as:
“Fashion MK Handbags 85% Off Shop Online Today”
“Up to 80% OFF Michael Kors HandBags on Sale, High Fashion, Low Prices”
“Shop All Michael Kors Handbags, Purses & Wallets Up To 70%”
Figure 2 and 3: Emails allegedly from Michael Kors:
Each had a link to a similar website, with similar names, and were registered on similar dates (mainly October 19, 2021).
www[.]lmksb[.]com
www[.]lmkso[.]com
www[.]lmksz[.]com
Further investigations showed at least 7 additional similar domains, where all were active under the ip range of 104.21.xxx.xxx, and are currently unavailable. Their main activity was seen from the second half of October for a few days, and some were active up to the second week of November.
lmksa[.]com
lmksc[.]com
lmksd[.]com
lmkse[.]com
lmkss[.]com
lmksv[.]com
lmksx[.]com
Below is an example of how the websites looked, with a price tag much lower than expected prices. This is possibly fraudulent merchandise, or a scam to get the payment and not deliver the bag.
Figure 4: Fraudulent impersonation of Michael Kors website
Be careful where you log into
Another possible threat are fake login websites for online shopping websites that could lead to stolen user credentials. For example, CPR discovered an email sent from “Amazon. Urgent notice” (but from an email address with a Chinese domain) and a subject in Japanese saying “System Notification: Unfortunately, we were unable to renew your Аmazon account” (translated from Japanese). The link in the email led to a website masquerading as the Amazom.co.jp website in both name and the look: https://www[.]amazon-co-jp[.]fo2j.top/
Figure 5: Impersonation of Amazon Japan
How to have a threat free shopping experience
Here are our recommendations and tips to secure your online shopping experience this November:
- Always shop from an authentic, reliable source. Do not click on promotional links you get over email or social media. Proactively Google search your desired retail or brand.
- Be attentive for lookalike domains. You should notice spelling accuracy in emails or websites, and note unfamiliar email senders or peculiar email addresses you receive promotions from.
- Too good to happen shopping offers are indeed too good to happen. A new iPad will NOT go on an 80% discount this season, unfortunately.
- Always look for the lock. Making an online transaction from a website that does not have secure sockets layer (SSL) encryption installed is an absolute NO-GO. To know if the site has SSL, look for the “S” in HTTPS, instead of HTTP. An icon of a locked padlock will appear, typically to the left of the URL in the address bar or the status bar down below. No lock is a major red flag.
- Having an endpoint and email security solutions in place can mean the difference between a major security incident and a non-event.
- Always be attentive to password reset emails, especially when volumes of traffic online are at a peak, like the November shopping season, If you receive an uninvited password reset email, always visit the website directly (don’t click on embedded links) and change your password to something different on that site. Not knowing your password is, of course, the problem that cybercriminals face when trying to gain access to your online accounts. By sending a fake password reset email that directs you to a lookalike phishing site, they can convince you to type in your account credentials and send those to them.
The statistics and data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research – The intelligence & Research Arm of Check Point Software.