ThreatList: Gift Card-Themed BEC Holiday Scams Spike

Watch out for emails about gift cards and corporate donations, researcher warn.

With cyber threats rampant between Black Friday and Christmas, security experts are warning of a wave of business-style email scams hitting inboxes designed to appeal to holiday shoppers.

Attacks involve scam messages purporting to be gift card deals or links to corporate donations. According to researchers at Proofpoint, the style, technique and nature of the email scams follow a pattern of what are known as business email compromise (BEC) scams. Instead of tricking targets with fake invoices, holiday-themed BEC emails entice victims to click on malware laced gift-card offers or to donate to a fake charitable cause along with other corporate coworkers.

“While this emerging technique only represents a small fraction of overall email fraud, we also identified rapid quarter-over-quarter growth this year in email fraud scams related to gift cards and, in many cases, corporate donations,” according to Proofpoint researchers that issued a report on such attack earlier this week.

Email fraud scams related to gift cards and corporate donations have shot up – while they were virtually non-existent in the first quarter of 2018, by the second quarter, they represented more than 10 percent percent of total email fraud. This percentage has now grown to almost 16 percent of all total email fraud scams in the holiday quarter – and is still growing.

The top BEC-style email scams typically include subject lines that include “iTunes gift cards,” “gift card donations,” and “Amazon gift cards.”

“As with most types of email fraud, threat actors targeted companies of all sizes and in all industries,” researchers said. “There was no correlation between company characteristics and the likelihood of being targeted by gift card BEC scams.”

Gift-card related scams represent just one threat of many this season. Also of concern are BEC-style email attacks delivering malware that targets point-of-sale systems, and phishing scams perpetrated via social media.

For instance, researchers reported a spate of Black Friday-themed email spam, often taking advantage of recipients’ desire to cash in on increasingly attractive deals. These emails created tempting clickbait for users or contained enticing messages with attachments that delivered malware, not holiday cheer.

For instance, the threat actors who regularly distribute the Emotet banking trojan, for example, sent a barrage of Thanksgiving-, Black Friday-, and Cyber Monday-themed malicious spam over the last two weeks.

An uptick in point of sale malware has also traditionally been observed during the holiday season – and this year is no different. Researchers are also warning of an uptick in the distribution of banking trojan malware families Betabot, Panda, Gozi, Zeus, Chthonic, TinyNuke, Gootkit2, IcedID and SpyEye.

For business, researchers warn they are seeing an uptick in point-of-sale (POS) malware ranging from FindPOS, ZeusPOS, MagikPOS and NewPosThings. FindPOS has continued unabated as the most common malware strain targeting POS devices. In 2018, POS malware activity has generally remained fairly steady, they said.

“Getting POS malware onto even a small number of terminals allows threat actors to scrape credit card data, which can then be used for fraudulent transactions,” researchers said.

A final trend that online shoppers need to be wary of is a new cyberthreat called “angler phishing.”

With several consumers interacting with support for retail brands via social media, such as Twitter and Facebook, cybercriminals are inserting themselves into public post comments or interactions and scam users into handing over their payment data or other information.

“More sophisticated threat actors continue to exploit social media channels to directly attack users,” researchers said. “Social media support fraud, or ‘angler phishing’ occurs when threat actors attempt to insert themselves into legitimate conversations between brands and users and Black Friday presents many opportunities for users to inquire about available deals, merchandise availability, etc.”

With “angler phishing” up a whopping 486 percent over this time last year, researchers urge consumers to “ensure that they are actually interacting with legitimate brands and verified accounts.”

“Although the holidays generally bring a range of online threats from actors looking to take advantage of the ‘human factor’ — human vulnerabilities of curiosity and fallibility rather than software exploits — the 2018 holiday season is accompanied by new threats as well as old standbys,” the researchers said. “Gift card email fraud scams have taken off just in time for the holidays while a larger number of established actors are distributing malware on bank holidays that were relatively quiet in years past.”

 

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.