The Thanksgiving holiday is this Thursday, the unofficial start to the Christmas shopping season in the US, followed by Black Friday and Cyber Monday.
People will surely go online in droves searching for deals, and cybercrooks and scammers know this is the perfect time of year to take advantage of those who aren’t aware of the risks.
For the past few days, SophosLabs has seen plenty of spam promoting suspicious and deceptive websites under the guise of great deals.
In one example, our spam traps caught a message purporting to offer Black Friday deals on “the car of your dreams.”
The email claimed to be from JC Penney, a well-known US retailer…
…that sells affordably priced clothing and home goods, not cars.
The email wasn’t really from JC Penney at all, of course – the “from” header was forged – and the Black Friday auto deals don’t exist.
If you click on the image in the email, you’re taken to a blank website that immediately redirects you to another website hosting ads for a variety of deals, for everything from home and auto insurance to diet, online education and travel deals -the car deal is “no longer available.”
SophosLabs researcher Biprotosh Bhattacharjee tells me that this is a common technique for spammers who can change out the “default” content of the website at any time and replace it with scams or malicious webpages.
Another suspicious “deal” SophosLabs saw this week was spam offering deep discounts on Ugg boots, which normally retail in the US for upwards of $100, but the email subject line claimed to offer Uggs “on sale” for only $65.
The spam links to a domain with “Black Friday 2015” in the URL, a website which redirects to another site offering “crazy” Thanksgiving deals on Ugg boots, and displays an Ugg logo.
Looking more closely, however, we can see there are several indicators that this website is a scam, beyond the obvious typo (“Thanksgivin”).
The biggest warning sign is that the scam website does not use the URL of the actual Ugg website (uggaustralia.com).
And if you attempt to purchase any of the items, you’re taken to an insecure payment page that doesn’t use HTTPS (signified by a padlock in the browser address bar).
The payment page asks for your credit card information, but there is only one option from the dropdown menu which doesn’t differentiate between the different types of credit card, such as Visa or Mastercard.
Although it’s tempting to believe offers for items priced well below retail, there’s a good chance these “Ugg” boots are cheap knock-offs – Ugg itself has warned customers that it has worked with law enforcement to take down over 60,000 sites offering counterfeit versions of its products.
Don’t fall for online deals like this. So-called affiliate networks help spammers to make money by driving people to these websites offering knock-off versions of well-known brands, like Apple products and even prescription drugs like Viagra.
In general, Naked Security writer and Sophos expert Paul Ducklin says, you should steer clear of super-cheap product offers that arrive in unsolicited emails:
Even if you think that the crooks will take every care with your payment details and your identity, and even if the goods you are buying turn out to be the genuine article, why give these guys your business? Instead, ask yourself, "Do I consider a spam campaign to be the basis of a business relationship founded on mutual trust?"
Tips for safe online shopping
- If it sounds too good to be true, it IS too good to be true. There is no such thing as a free iPhone 6!
- Never fill in purchase details on a website that doesn’t use a secure (encrypted) connection. Don’t be fooled by padlock images in the webpage itself: look for the padlock in your browser’s address bar.
- Don’t click on links in unsolicited emails. Those links could land you on a phishing website or a website that will infect you with malware via what’s known as a drive-by download. Always type in the website address, but be careful of mistyped addresses where cybercrooks may be squatting. Bookmark the sites you typically visit for shopping, banking, etc.
- Watch out for sites that ask for way too much information, such as your card PIN – which is not used online – Social Security number or national ID number. And never share your passwords. IF IN DOUBT, GIVE NOTHING OUT!
- Scrutinize your bank statements. Check your bank account transactions regularly for signs of fraud, particularly after making purchases online. If you discover payments that you can’t identify, notify your bank immediately.
Image of mega-explosive sale sign courtesy of Shutterstock.com.
Laurence Marks
John Zorabedian wrote: “The payment page asks for your credit card information, but there is only one option from the dropdown menu which doesn’t differentiate between the different types of credit card, such as Visa or Mastercard.”
The number sets for Visa and MasterCard are disjoint. A simple test on the number can distinguish the provider. The dropdowns are customarily used to avoid the need for a statement like “Sorry, Discover not accepted” or “We do not accept American Express.” If a merchant accepts all the card types there’s no need for the dropdown. A website designer can also keep things simple by eliminating the question, doing the test, and then providing the non-acceptance message if necessary.
Paul Ducklin
The thing for me is that even though a crooked site can look perfect, many of them aren’t, so take advantage of all the clues you can.
Spelling mistakes, grammatical oddities, redundant questions, and “what *were* they thinking of” layout…all can help you figure, “This is not what it seems.”
And, indeed, why show three different card images but then have a drop down box with one item? It’s an oddity that suggests bogosity in my book – it’s like having a question “specify your country of residence” and then having a dropdown that just says “Earth.”
As we advise, if in doubt, don’t give it out. The retailers are falling over themselves to sell you stuff. Why buy from an online store with a phishy smell?
Of course, the fact that it’s a typosquatty domain name and that they want your CVV2 (and everything else) via plain HTTP suggests crookedness, and the lack of TLS means that the operators are incompetent at the very best, and you should not use this site ever or anyway…
In short: don’t let a perfect layout convince you a site is good. Some crooks can spell. But *do* let weirdnesses set your bogosity detector off!
Lou Troughton
Why not just google the site name and see what comes up. (“no such URL” etc.) Or if a URL is furnished see if it is exactly the same as the suspect bogus site? It’s much easier to spot the bogus site this way.
Paul Ducklin
Be careful of just relying on an email and a quick search engine result (with no further research) to “close the loop” on legitimacy. A search engine is a tool to help you find content, not really one that researches and vouches for it. Remember that crooks can poison search results – possibly only temporarily – by flooding fake content onto hacked websites at the same time as they push out their email scam campaigns.
SBD
Also disturbing is where these scammers obtain your email address from. I suspect my recent Ugg email has been lifted off ebay transactions. Besides a round of spam following a purchase several months ago, this particular email names me by Givenname Initial Surname, which is the way it appears on my credit card and that format is only ever filled in on actual purchases.
Nearly finished altering profiles for all valid emails using that address, In future I’m using ebay@domain, paypal@domain etc so I know where the leak comes from.
Anonymous A. Anonymous
The scammers suck.