Category:
Adversary Intelligence |
Industry:
Global |
Motivation:
Financial |
---|
THREAT | IMPACT | MITIGATION |
---|---|---|
|
|
|
Researchers at CloudSEK observed a series of threats and potentially malicious campaigns ahead of Black Friday 2022. CloudSEK’s contextual AI digital risk platform XVigil discovered hundreds of Black Friday themed domains registered and operational. Common forms of attacks included the impersonation of legitimate websites, services for Google/Facebook ads, and the spread of malicious applications.
Also Read Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io
Website cloning is a common technique used by hackers of all levels of sophistication to host fake instances of legitimate websites. This is done to harvest personally identifiable information (PII), credentials, and banking details. This data is then sold on dark web forums or or leveraged it to launch social engineering attacks.
For example, the website shown below is a fake domain that impersonates “Shoe The Bear”. It was hosted on fzmvih[.]top, and is advertising their Black Friday sale.
Malicious applications use themes such as ‘Black Friday’ to increase downloads and drive traffic. For example, the Black Friday application shown below (suspected to be malicious), has been around since 2015, and is available on a third-part app store. (see Appendix)
CloudSEK’s BeVigil mobile app security scanner has identified that the app requests for several high-risk permissions such as ‘Camera’, ‘Fine location’, and ‘Coarse location’. It is also detected as AppRisk:Generisk by antivirus programs, which means it can perform unwanted actions on the device it infects.
Cybercrime forums across various languages are rife with chatter about Black Friday. While some actors are promoting their malicious services/ campaigns, others are looking to avail them. For example, the post below shows a threat actor looking for Google and Facebook ad services, probably to promote their fake Black Friday themed shop.
Furthermore, threat actors also provide Black Friday discounts for their services and products. One such instance was HostSlick[.]com, which is reviewed, used, and rated by various threat actors on the forum.
CloudSEK researchers discovered an Ethereum giveaway scam website. Fraudsters tend to lure victims into transferring Ethereum, promising to double any cryptocurrency investment made with the site.
Various victims and researchers are actively using social media to spread awareness about such ongoing scams across the globe.
The post summarizes how WhatsApp is circulating messages that say “Black Friday Contest 2022” claiming to provide 5,000 free tickets. Various posts suspect it to be malware. Soon after it was reported on social media, the link was taken down.