Beware of Black Friday 2022 Themed Cyber Threats
| Category:
Adversary Intelligence |
Industry:
Global |
Motivation:
Financial |
|---|
| THREAT | IMPACT | MITIGATION |
|---|---|---|
|
|
|
Executive Summary
Researchers at CloudSEK observed a series of threats and potentially malicious campaigns ahead of Black Friday 2022. CloudSEK’s contextual AI digital risk platform XVigil discovered hundreds of Black Friday themed domains registered and operational. Common forms of attacks included the impersonation of legitimate websites, services for Google/Facebook ads, and the spread of malicious applications.
Also Read Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io
Black Friday Themed Cyber Threats
Impersonation of Legitimate Websites
Website cloning is a common technique used by hackers of all levels of sophistication to host fake instances of legitimate websites. This is done to harvest personally identifiable information (PII), credentials, and banking details. This data is then sold on dark web forums or or leveraged it to launch social engineering attacks.
For example, the website shown below is a fake domain that impersonates “Shoe The Bear”. It was hosted on fzmvih[.]top, and is advertising their Black Friday sale.
![Cloned website impersonating https[:]//shoethebear[.]com/pages/about | Black Friday 2022 Cyber Threats](https://i0.wp.com/cloudsek.com/wp-content/uploads/2022/11/word-image-21814-1.png?resize=1200%2C464&ssl=1)
Spread Malicious Applications
Malicious applications use themes such as ‘Black Friday’ to increase downloads and drive traffic. For example, the Black Friday application shown below (suspected to be malicious), has been around since 2015, and is available on a third-part app store. (see Appendix)
CloudSEK’s BeVigil mobile app security scanner has identified that the app requests for several high-risk permissions such as ‘Camera’, ‘Fine location’, and ‘Coarse location’. It is also detected as AppRisk:Generisk by antivirus programs, which means it can perform unwanted actions on the device it infects.
Observations from Cyber Crime Forums
Cybercrime forums across various languages are rife with chatter about Black Friday. While some actors are promoting their malicious services/ campaigns, others are looking to avail them. For example, the post below shows a threat actor looking for Google and Facebook ad services, probably to promote their fake Black Friday themed shop.
Furthermore, threat actors also provide Black Friday discounts for their services and products. One such instance was HostSlick[.]com, which is reviewed, used, and rated by various threat actors on the forum.
Cryptocurrency Scams
CloudSEK researchers discovered an Ethereum giveaway scam website. Fraudsters tend to lure victims into transferring Ethereum, promising to double any cryptocurrency investment made with the site.
- The scammers leverage the occasion of Black Friday to host such schemes where participants should transfer some ETH to qualify.
- The ETH address shared by the fraudsters has 340 transactions on the Ethereum blockchain. It has received ~990 ETH (USD 1,149,078). And, the current value of this address is ~124.79 ETH (USD 144,728).
- A scam report has been generated for this ETH address indicating that the fraudsters leverage every significant event to mint money. (See Appendix)
![Crypto scam website - https[:]//www[.]eth-blackfriday[.]com](https://i0.wp.com/cloudsek.com/wp-content/uploads/2022/11/word-image-21814-5.png?resize=1070%2C509&ssl=1)
Open Web results
Various victims and researchers are actively using social media to spread awareness about such ongoing scams across the globe.
The post summarizes how WhatsApp is circulating messages that say “Black Friday Contest 2022” claiming to provide 5,000 free tickets. Various posts suspect it to be malware. Soon after it was reported on social media, the link was taken down.
References
Appendix
