Ahead of Black Friday, Rash of Malware Families Takes Aim at Holiday Shoppers

As consumers skip the store crowds in favor of online deals, cyberattackers have geared up to victimize them.

No less than 14 malware families are targeting e-commerce brands to steal from unsuspecting consumers ahead of the official holiday shopping season.

As the Black Friday post-Thanksgiving buying bonanza looms, in all of its door-busting and elbow-throwing glory, many are opting to stay at home and take advantage of the same deals online. But they may get an unwanted extra with their purchase. Banking trojan malware families Betabot, Panda, Gozi, Zeus, Chthonic, TinyNuke, Gootkit2, IcedID and SpyEye are targeting online shoppers.

According to Kaspersky Lab, these and other banking trojans have spiked in detections lately, and are hunting for user credentials such as user names, passwords, payment-card numbers and phone numbers. At least 14 malware families have been found actively targeting a total of 67 consumer e-commerce sites between them, the firm said.

This includes 33 clothing, footwear, gifts, toys, jewelry and department-store sites, eight consumer-electronics sites, eight entertainment and gaming sites, three popular telecom sites, two online payment sites and three online retail platforms.

Out of the top three most-prolific malware families is Betabot, according to Kaspersky Lab data [PDF]. The report shows that Betabot targets as many as 46 different brands, and was the only trojan to target entertainment and gaming sites, while Gozi targets 36 brands overall and Panda 35.

“The malware can intercept input data on target sites, modify online page content, and/or redirect visitors to phishing pages,” Kaspersky Lab researchers noted in a posting on Thursday, one week ahead of Thanksgiving. They added that the malicious code, once installed often lies in wait for the consumer to visit an e-commerce page, and then simply grabs the payment form wholesale.

“Form-grabbing is a technique used by criminals to save all the information that a user enters into forms on a website,” the team noted. “And on an e-commerce website, such forms are almost certain to contain: login and password combination as well as payment data such as credit card number, expiration date and CVV. If there is no two-factor transaction confirmation in place, then the criminals who obtained this data can use it to steal money.”

Armed with the stolen credentials, cybercriminals could hawk them on the Dark Web, or simply use the stolen accounts themselves – they can buy things from a website using victims’ credentials, and then resell the ill-gotten goods to make a nice profit – a process that comes with built-in money-laundering.

It’s interesting to look at consumer attitudes towards holiday-season shopping against this backdrop, which is a story of security versus convenience. A survey [PDF] of 500 adults in the U.K. by Radware found that more than 70 percent don’t think companies are doing enough to protect their personal data on Black Friday. As a result, 45 percent of respondents said they would not be shopping online, including 32 percent who said they would visit a physical store instead.

At the same time though, 55 percent of the survey respondents stated that convenience, price or home delivery was worth the potential risk.

This comes even as banking trojan activity has been steadily on the rise in recent years. Kaspersky Lab detections of their e-commerce-related activity has grown from from 6.6 million in 2015 to 9.2 million at the end of the third quarter of 2018, putting attacks on track to total an estimated 12.3 million by the end of the year. In terms of percentage increases, the firm observed a 12 percent increase in e-commerce targeting between 2016 and 2017, and expects to log a 10 percent rise between 2017 and the end of 2018.

To stay safe, consumers should use their common sense: Avoid buying anything online from websites that look potentially dangerous or resemble an incomplete version of a trusted brand’s website. Also, Kaspersky Lab recommends not clicking on unknown links in email or social media messages, even from people one knows, unless you were expecting the message.

In the Radware survey, 40 percent of respondents said they plan to change their online habits during Black Friday, including 25 percent who will reportedly only shop with well-known brands or will check that the website is secure before making a purchase.

“[Our] research shows that many consumers are aware of the risks of online shopping, and while some are willing to accept this for convenience and price, others are avoiding online shopping altogether,” Radware researchers noted in a posting on Wednesday.


Suggested articles