Co-authored by: Sriram P and Deepak Setty<\/p>\n
\u2018Tis the season for scams. Well, honestly, it\u2019s always scam season somewhere. In 2020, the Internet Crime and Complaint Center (IC3<\/a>) reported losses in excess of $4.1 billion dollars in scams which was a 69% increase over 2019. There is no better time for a scammer celebration than Black Friday, Cyber Monday, and the lead-up to Christmas and New Year. It\u2019s a predictable time of the year, which gives scammers ample time to plan and organize. The recipe isn\u2019t complicated, at the base we have some holiday excitement, sprinkle in fake shopping deals and add some discounts, and ho ho ho we have social engineering scams.<\/p>\n In this blog, we want to increase awareness related to scams as we expect elevated activity during this holiday season. The techniques used to scam folks are very similar to those used to spread malware too, so always be alert and use caution when browsing and shopping online. We will provide some examples to help educate consumers on how to identify scams. The victims of such scams can be others around you like your kids or parents, so read up and spread the word with family and friends. Awareness, education, and being alert are key to keeping you at bay from fraudsters.<\/p>\n Although there is a myriad of scams out there, we expect the most common scams and targets this season to be:<\/p>\n SMSishing, email-based Phishing, and push notifications will be the most common vectors initiating scams during this holiday season. Here are some common tactics in use today:<\/p>\n This is a common theme around this time of the year. Deals, discounts, and gift cards can be costly to your bank account. Be wary of URLs being presented to you over email or SMS. Phishing emails, bulk mailing, texting, and typo-squatting are some of the ways that scammers target their prey.<\/p>\n Scammers will create a sense of urgency by telling you that you have limited time to claim the deal or that there is low inventory for popular items in their store. It\u2019s not difficult for scammers to identify sought-after electronics items or holiday gifts for sale and offer them for sale on their fake stores. Such scams are believable given the supply chain challenges and delivery shortages over the last few months.<\/p>\n Getting people worried about a life-changing event or disrupting travel plans can be concerning. So, if you get an unexpected call from someone claiming to be from the FBI, police, IRS, or even a travel company, stop and think. They may be using scare tactics to dupe you. Never divulge personal information and if in doubt, ask them a lot of directed questions and fact check them. As an example, check to see if they know your home address, account number, itinerary number, or bank balance depending on who they claim to be. Scammers typically don\u2019t have specific details and when put on the spot, they\u2019ll hang up.<\/p>\n Like scare tactics, scammers may prey on vulnerable people. Although there can be many variations of such scams, the more common ones are Romance Scams<\/em> where you end up connecting to someone with a fake profile, and Fake Charity Scams<\/em> where you receive a phone call or an email requesting a donation. Do not entertain such requests over the phone especially if you receive a phone call soliciting a donation. During the conversation, they will attempt to make you feel guilty or selfish for not contributing enough. Remember, there is no rush to donate. Go to a reputable website or a known organization and donate if you must after due diligence.<\/p>\n Successful scams are situationally accurate. You may be the smartest guy in the room, but when you eagerly waiting for that delivery and you see an email update claiming a delivery delay from UPS, you might fall for a scam. This is particularly true in the holiday season and therefore such themes are more prevalent. Here are some tips on how to identify scams early on.<\/p>\n If you believe that you have been a victim of a scam, here are a few tips that might help.<\/p>\n It\u2019s become more common recently to receive text messages for scammers. The following few text messages demonstrate SMSishing attempts.<\/p>\n <\/p>\n 2. The following are fake texts that attempt to entice you click the link. The bait is the Gift card. One can tell that they are a similar theme since they originate from fake phone numbers, which are very similar but not exact. The domain names of the two URLs are totally random (probably compromised URLs). You can tell that back in October, the full URL based SMShing attempts were not very effective which is why in Nov, they probably used keywords like \u201cCOSTCO\u201d and \u201cebay\u201d within the URL and inline to their SMS context, to make it more likely for people to click.<\/p>\n Also note that some of the URLs only have an \u201chttp\u201d versus a \u201chttps\u201d, something we had noted earlier in the blog.<\/p>\n <\/p>\n One cannot trust an email by the text. You should review the link to ensure it takes you to where it claims to. The following is an example email where the link is not what it claims to be.<\/p>\n Shopify is a Canadian multinational e-commerce company. It offers online retailers a suite of services, including payments, marketing, shipping, and customer engagement tools.<\/p>\n So, where there is money to be made, individuals are looking to take advantage. Shopify scam targets both consumers and business owners. Scammer abuse the power of e-commerce to earn money by implementing fake stores. They observe the product or category, create an attractive logo or image and promote extensively on social media.<\/p>\n Fake Bike Online Purchase store \u2013 Mountain-ranger-com<\/p>\n Site: hxxps:\/\/mountain-ranger-com.myshopify.com\/collections\/all<\/p>\n SSL info:<\/strong><\/p>\n This site is hosted on Shopify, so it has a valid SSL cert which is the first thing we check on where we transact.<\/p>\n Whois Record\u00a0<\/strong>( last updated on 2021-11-19 )<\/strong><\/p>\n Domain\u00a0Name:\u00a0myshopify.com The registrar info for the site is valid too, as it is hosted on Shopify. If you look closer, however, one will notice red flags:<\/p>\n <\/p>\n 2. The \u201cAbout Us\u201d doesn\u2019t make much sense when you see the products that are being offered.<\/p>\n 3. There are no customer reviews about the products listed.<\/p>\n 4. It has a public email server (gmail) in its return policy<\/p>\n 5. Looking up the list address in google maps wouldn\u2019t show up anything and looking up the number in apps like true caller shows it’s fake.<\/p>\n The goal of this scam is to steal credentials however it could as well be used as a malware delivery mechanism. The screenshot is that of a fake business proposal hosted on OneDrive Cloud for phishing purposes.<\/p>\n The actor aims to mislead the user into clicking on the above reference link. When the user clicks on the link, it redirects to a different website that displays the below fake OneDrive screenshot.<\/p>\n hxxps:\/\/aidaccounts[.]com\/11\/verified\/22\/<\/p>\n If a user enters their OneDrive details, the actors receive them at their backend. This means that this victim has lost their login credentials to the phishing actors. Look at the address bar and trust your instincts. This is in no way related to Microsoft OneDrive. There are other such examples where they do some additional plumbing of the URL to include keywords that make it more believable \u2013 as they did in the SMSishing example above.<\/p>\n The goal here is to get the user to accept push notifications. Doing so makes the customer susceptible to other possible scams. In this example, the scammers attempt to get users to fill out surveys. Legit companies online pay users for surveys. A referral code is used to pay the survey taker. The scammer in this case attempts to get others to fill the survey on their behalf and therefore makes money when such surveys use the scammer’s referral code. Push notifications are used to get the victims to fill out surveys. Previous blogs from McAfee demonstrate similar scams<\/a> and how to prevent such notifications<\/a><\/p>\n The initial vector comes to the victim via a spam email with a PDF Spam attachment. In this scenario, Gmail was used as the sender.<\/p>\n Upon opening the PDF, a fake online PUBG<\/a> (Players Unknown Battleground) credits generator gets opened. In PUBG, Gamers need credits to participate in various online games and so this scam baits them offering free credits.<\/p>\n Once the user clicks on the bait URL, it opens a google feed proxy URL.<\/p>\nRelevant scams this season<\/h2>\n
\n
1. Unbelievable deals or discounts<\/strong><\/h3>\n
2. Creating a sense of urgency<\/strong><\/h3>\n
3. Utilizing Scare tactics <\/strong><\/h3>\n
4. Emotional tactics <\/strong><\/h3>\n
Tips to identify a scam<\/h2>\n
\n
\n
\n
\n
\n
\n
What if you are a victim?<\/h2>\n
\n
\n
\n
\n
\n
Example scams:<\/h2>\n
Example 1: Fake SMS messages<\/h3>\n
\n
Example 2: Fake email link<\/h3>\n
Example 3: Fake Store Scam hosted on Shopify<\/h3>\n
\nRegistry\u00a0Domain\u00a0ID:\u00a0362759365_DOMAIN_COM-VRSN
\nRegistrar\u00a0WHOIS\u00a0Server:\u00a0whois.markmonitor.com
\nRegistrar\u00a0URL:\u00a0http:\/\/www.markmonitor.com
\nUpdated\u00a0Date:\u00a02021-03-02T23:39:12+0000
\nCreation\u00a0Date:\u00a02006-03-03T03:01:37+0000
\nRegistrar\u00a0Registration\u00a0Expiration\u00a0Date:\u00a02024-03-02T08:00:00+0000
\nRegistrar:\u00a0MarkMonitor,\u00a0Inc.
\nRegistrar\u00a0IANA\u00a0ID:\u00a0292
\nRegistrar\u00a0Abuse\u00a0Contact\u00a0Email:
\nRegistrar\u00a0Abuse\u00a0Contact\u00a0Phone:\u00a0+1.2083895770
\nDomain\u00a0Status:\u00a0clientUpdateProhibited\u00a0(https:\/\/www.icann.org\/epp#clientUpdateProhibited)
\nDomain\u00a0Status:\u00a0clientTransferProhibited\u00a0(https:\/\/www.icann.org\/epp#clientTransferProhibited)
\nDomain\u00a0Status:\u00a0clientDeleteProhibited\u00a0(https:\/\/www.icann.org\/epp#clientDeleteProhibited)
\nDomain\u00a0Status:\u00a0serverUpdateProhibited\u00a0(https:\/\/www.icann.org\/epp#serverUpdateProhibited)
\nDomain\u00a0Status:\u00a0serverTransferProhibited\u00a0(https:\/\/www.icann.org\/epp#serverTransferProhibited)
\nDomain\u00a0Status:\u00a0serverDeleteProhibited\u00a0(https:\/\/www.icann.org\/epp#serverDeleteProhibited)
\nRegistrant\u00a0Organization:\u00a0Shopify\u00a0Inc.
\nRegistrant\u00a0State\/Province:\u00a0ON
\nRegistrant\u00a0Country:\u00a0CA
\nRegistrant\u00a0Email:\u00a0Select\u00a0Request\u00a0Email\u00a0Format<\/p>\n\n
Example 4: Social Engineering to Steal Credentials<\/h3>\n
Example 5: Fake Push Notification for surveys<\/h3>\n