Research conducted by Egress and Orpheus Cyber has revealed a surge in phishing kits imitating major brands in the lead up to Black Friday, as security experts warn that cybercriminals are stepping up their phishing attacks over the holiday shopping season.
The research has lifted the lid on how cybercriminals prepare to take advantage of the retail event, reporting a 397% increase in typo squatting domains explicitly tied to phishing kits. Amazon was a popular choice for cybercriminals, with a 334.1% increase in phishing kits impersonating the brand ahead of its anticipated Black Friday promotions.
Amazon was the top brand for fraudulent webpages linked to phishing kits, with researchers observing almost 4,000 pages imitating the brand – three times as many as those detected for than the popular online auction site eBay and over four times as many as for retail giant Walmart.
Phishing-as-a-service (PhaaS) lowers the financial and technical barriers to entry for cybercrime, with operators using a software-as-a-service model to offer professionalized platforms that allow customers to quickly deploy their own attacks. These “phishing kits” often include lists of email addresses for attackers to target, as well as branded phishing email and website templates designed to impersonate well-known companies.
Experts believe demand for phishing kits will continue to increase in the months leading up to Christmas, with cybercriminals taking advantage of the increased volume of marketing emails sent during the period to mask their own malicious attacks. During this period, cybercriminals will often disguise their malicious attacks as retailer offers, order confirmations or delivery confirmation emails.
Amazon phishing kits for sale on both dark and clear web
In the week before Black Friday, researchers uncovered 200 new phishing kits containing imitation Amazon emails available on dark and clear web forums, with some retailing for as little as $40. One listing offers multiple language support, the ability to obtain credentials for a range of email providers and the option to prompt victims to take and submit pictures of their credit cards. Some kits boast capabilities to avoid detection, with one listing offering automated IP address checks to prevent automated security tools from scanning the link.
Researchers also observed phishing emails offering fake Amazon Black Friday promotions. One example, distributed on Black Friday, tempts recipients with an Amazon coupon that can be redeemed by completing an attached form. Further analysis revealed that the attachment contained XBAgent malware.
Comment from Egress VP of Threat Intelligence, Jack Chapman: “We all want to buy our loved ones the best possible Christmas present and net a bargain price in the Black Friday sales, and each year cybercriminals use this to their advantage. PhaaS has lowered the barriers to entry for cybercriminals, making it easy to impersonate well-known brands and trick victims. The recent increase in the number of phishing kits listed for sale highlights the criminals’ appetite for carrying out attacks during busy shopping periods.
“Our research uncovered the behind-the-scenes activity of cybercriminals as they prepare to take advantage of unsuspecting victims this holiday period, highlighting the ease with which they’re able to impersonate brands such as Amazon. As we approach Christmas, I’d urge everybody to take extreme caution when it comes to unexpected offers and discounts – and if you’ve received an email that you think looks suspicious, don’t click any links and don’t download any attachments.”