With the end of November comes the height of the holiday shopping season — specifically Black Friday and Cyber Monday sales, which typically span the last calendar days of November into the first week of December.
As consumer behavior changes and online transactions become favored over traditional retail-store purchases, Black Friday and Cyber Monday are becoming harder to differentiate. Many retailers extend sale pricing throughout this time period in an effort to maximize profits and engage eager shoppers.
In fact, the total number of online sales for the 2018 holiday sale period was a record ~$7.9 billion, a nearly 20% increase from the previous year.
2018 was also the first year where half of online shoppers came from mobile devices, indicating a shift in consumer behavior.
Adobe’s analytics were particularly interesting, which included a breakdown of 2018’s Cyber Monday online traffic sources.
While a social media presence has become a necessity for most online businesses, Adobe’s data shows that strong SEO and email advertising efforts continue to dominate during this period.
Emerging Ecommerce Threats
There are a number of threats that both consumers and website owners need to be aware of during the 2019 holiday season.
In-store card-present transactions leveraging stolen payment data have been on the decline in the United States, ever since merchants and payment processors rolled out EMV enabled payment cards and POS devices.
New consumer habits, such as buy online, pick up in store (BOPIS), now allow customers to pick up products at a physical locations after purchasing them on the retailer’s website – so these transactions become classified as card-not-present.
CNP vs CP Liability
It is important to differentiate between card-present and card-not-present transactions as they are key to determining who is liable for the fraudulent charges.
If all agreed upon policies are followed, liability falls on either the card issuer or the merchant:
- Card-present – Card issuer is liable for fraudulent charges
- Card-not-present – Merchant is liable for fraudulent charges
Since merchants offering BOPIS are liable for fraudulent transactions, it is important that strong authentication processes are implemented to ensure that purchased products are seamlessly handed off to only authorized users.
Unfortunately, there are still retail merchants that have little to no authentication process for in-person pickups, making them likely targets for abuse due to a lack of security controls.
This threat also impacts consumers, as they are ultimately the source of the stolen data — whether it is a stolen payment card or a stolen merchant account (e.g Walmart) that already has a saved payment method ready for use.
EMV payment cards can have payment data stolen through shimming, allowing them to be used in card-not-present transactions. They are safe (for the most part) from being cloned and used in card-present transactions. This method — essentially allowing scammers to lift information from chip cards with an EMV microchip — can be used to gather stolen payment card data for use in fraudulent activity like purchasing items in card-not-present transactions.
E-skimming is a threat to any website that accepts payment cards. It involves the execution of malicious code during specific conditions — for example, only on the checkout page. This code captures and transmits the stolen payment card data to the hacker as customers enter it in real time.
How E-skimming Works
Much like physical skimmers, transactions proceed normally. Most users won’t notice that payment card information was being stolen during the process. This is because e-skimmers will often just use one domain and it may look very similar to legitimate domains. In addition, they will also often use cloaking techniques like not loading the e-skimmer if the victim has their browser’s developer tools open when loading the infected page.
This e-skimmer can obfuscate itself by loading from fake, legitimate-looking domain names.
In fact, e-skimming threats have garnered so much attention that the FBI and US-CERT have released a warning about it for the 2019 holiday season, along with a PDF that does a good job explaining the risks to users.
Phishing attacks continue to be a pervasive threat in 2019. Phishing campaigns can be distributed through a variety of methods, but are most commonly circulated via popular communication channels like email, SMS, and messaging applications like Facebook or Instagram.
Phishing Emails: A Closer Inspection
While spam and phishing filters at major email providers have become much better at displaying warnings for suspected emails, they don’t always move suspicious emails to the junk folder.
Let’s examine a phishing email that I recently received.
From the subject and email content, we can see that the attacker is targeting Apple ID users in this phishing campaign.
This email spreads fear, uncertainty, or doubt (FUD) — a common tactic — by claiming that the victim’s Apple ID has been locked. Attackers bank on the fact that victims will skim this email content, become alarmed by the message contents, and click on the big Unlock Account button.
Once the Unlock Account button has been clicked, the user is sent to a phishing website to harvest sensitive payment information and other personal details.
Since Apple ID can have payment methods associated with an account, attackers obtain this information by tricking victims into submitting their payment and personal details through a fake “verification process.”
At the time of writing, the landing page for this campaign has since been disabled but was verified as a threat on Phishtank.
What Happens to Stolen Information?
As mentioned in previous posts, stolen credit card information is often resold to other fraudsters through various distribution methods including forums, Discord channels, darknet markets, etc.
Below is an example of stolen payment and personal data for sale.
Due to the Apple ID references in this listing, we can assume this information was phished using a similar method to the one we just described.
How to Spot Check Phishing Emails
If you suspect an email may be legitimate, I would advise verifying with the following steps to be 100% certain.
The first step is to check and verify the sender’s email address. In the phishing sample image above, we can see that the sender’s email address is listed as wdttt8xkh9w@wishingyouarehere[.]com.
If we check on the domain wishingyouarehere[.]com, then we can see it was registered earlier this year and is exclusively used for sending emails through G-Suite/Gapps as it lacks the necessary DNS records to host a website.
[*] MX aspmx.l.google.com 126.96.36.199 [*] MX alt1.aspmx.l.google.com 188.8.131.52 ... [*] SPF v=spf1 include:_spf.google.com ~all [*] TXT wishingyouarehere[.]com v=spf1 include:_spf.google.com ~all
Perhaps what is even more revealing is if we search for other domains registered under the same name — Deborah musichouse — we can find an entire list of domains that were registered to this presumably fake name on the same date with the same registrar.
- wishingyouarehere[.]com 2019-03-07 domains.google.com
- kaubicarakandenganadarendah[.]net 2019-03-07 domains.google.com
- whatareyoudoingnow[.]business 2019-03-07 domains.google.com
- walautaktersisaceritacinta[.]info 2019-03-07 google.com
- semakinkumemikirkanmu[.]info 2019-03-07 google.com
- menangislahselagikamubisa[.]info 2019-03-07 google.com
- danjanganengkaupergilagi[.]info 2019-03-07 google.com
- berselimutditengahdingindunia[.]info 2019-03-07 google.com
In total, there have been over 100 other domains registered to this fake name at the same registrar and on the same day.
Many of these domains use words from the Indonesian language, which is also suspicious. There are numerous hacking groups that operate from there — if you ever deal with website malware, you may be aware of Indonesian words like gagal which means failed and its counterpart sukses which means success. These terms are often used in many backdoors.
To spot check emails like this for phishing, I would also encourage you to go to the website directly in your browser instead clicking on any of the HTML buttons or links in the email itself. Oftentimes, attackers will conceal the phishing URL behind a series of redirects.
Some of these campaigns even abuse legitimate services that allow redirects, as seen with this malicious URL that redirects through a Tumblr domain.
This redirect service can make it more difficult for someone to be able to quickly determine whether it is malicious, increasing the likelihood of them just clicking the redirect link to the phishing page.
Of course there are also other methods of phishing, such as vishing (phishing over the phone), which can be very sophisticated. KrebsOnSecurity has a great article covering this topic, which can be found here.
If you are one of the many small to medium businesses owners operating a website without your own incident response team, don’t worry. Services offered by Sucuri make it much easier for you to securely run your website and business online.
Our website security platform already provides the recommendations given by the FBI to mitigate risk. Features include server-side scanning for detecting indicators of compromise and a Web Application Firewall which monitors and analyzes traffic for malicious behavior — and helps you maintain PCI compliance. Sucuri also offers redundancy DNS features and offsite backups, which are a necessity for any business continuity plan.