Threat actors are hosting websites for malicious campaigns centered around the “Black Friday” theme.
E-commerce, cryptocurrency, and travel prime targets.
Compromised PII and banking credentials can be used to perform unauthorized transactions and social engineering attacks.
Deliver malware, ransomware, and stealers.
Avoid clicking on suspicious links.
Install and update antivirus.
Use strong passwords.
Enable MFA across logins.
Check for anomalies in the accounts and transactions.
Researchers at CloudSEK observed a series of threats and potentially malicious campaigns ahead of Black Friday 2022. CloudSEK’s contextual AI digital risk platform XVigil discovered hundreds of Black Friday themed domains registered and operational. Common forms of attacks included the impersonation of legitimate websites, services for Google/Facebook ads, and the spread of malicious applications.
Website cloning is a common technique used by hackers of all levels of sophistication to host fake instances of legitimate websites. This is done to harvest personally identifiable information (PII), credentials, and banking details. This data is then sold on dark web forums or or leveraged it to launch social engineering attacks.
For example, the website shown below is a fake domain that impersonates “Shoe The Bear”. It was hosted on fzmvih[.]top, and is advertising their Black Friday sale.
Spread Malicious Applications
Malicious applications use themes such as ‘Black Friday’ to increase downloads and drive traffic. For example, the Black Friday application shown below (suspected to be malicious), has been around since 2015, and is available on a third-part app store. (see Appendix)
CloudSEK’s BeVigil mobile app security scanner has identified that the app requests for several high-risk permissions such as ‘Camera’, ‘Fine location’, and ‘Coarse location’. It is also detected as AppRisk:Generisk by antivirus programs, which means it can perform unwanted actions on the device it infects.
Observations from Cyber Crime Forums
Cybercrime forums across various languages are rife with chatter about Black Friday. While some actors are promoting their malicious services/ campaigns, others are looking to avail them. For example, the post below shows a threat actor looking for Google and Facebook ad services, probably to promote their fake Black Friday themed shop.
Furthermore, threat actors also provide Black Friday discounts for their services and products. One such instance was HostSlick[.]com, which is reviewed, used, and rated by various threat actors on the forum.
CloudSEK researchers discovered an Ethereum giveaway scam website. Fraudsters tend to lure victims into transferring Ethereum, promising to double any cryptocurrency investment made with the site.
The scammers leverage the occasion of Black Friday to host such schemes where participants should transfer some ETH to qualify.
The ETH address shared by the fraudsters has 340 transactions on the Ethereum blockchain. It has received ~990 ETH (USD 1,149,078). And, the current value of this address is ~124.79 ETH (USD 144,728).
A scam report has been generated for this ETH address indicating that the fraudsters leverage every significant event to mint money. (See Appendix)
Various victims and researchers are actively using social media to spread awareness about such ongoing scams across the globe.
The post summarizes how WhatsApp is circulating messages that say “Black Friday Contest 2022” claiming to provide 5,000 free tickets. Various posts suspect it to be malware. Soon after it was reported on social media, the link was taken down.