Even if you’re an ascetic who eschews the materialism of holiday shopping, the Black Friday and Cyber Monday juggernaut is hard to avoid. Stores hawk their deals everywhere, promotional emails flood your inbox, tweets and even texts tell you what to buy, and where, for the best price. But before you give in to the siren’s song of cheap fitness trackers, keep in mind that online scams are lurking everywhere. And the threat is greater this year than ever.
Retail-related scams and schemes plague the internet all year round, but Black Friday and Cyber Monday are particularly appealing for hackers given the surge in shoppers—all of whom are potential targets. The typical retail scams all apply, like phishing emails pitching you cheap Gucci sunglasses, bogus websites trying to lift your credit card number, and attackers planting malware and cryptojacking modules wherever they think consumers might click. But researchers have found that Black Friday and Cyber Monday give scammers extra cover, particularly for standalone malicious websites and apps that can tie into the broader wave of special promotions.
“Over Black Friday weekend, if you’re visiting a top e-commerce site, everyone knows—threat actors included—that you’re planning on spending money, and very likely more money than you usually spend,” says Yonathan Klijnsma, a researcher at the threat detection firm RiskIQ. “As a consumer, it’s important to pay attention to detail while shopping online and pay attention to your surroundings. There are usually clues that can help you identify something potentially malicious.”
Malicious websites, apps, emails, texts and other lures try to motivate victims to take action. They might offer a time-limited deal, or a low price that’s hard to turn down to try to get targets to act before they think. That’s partly why they’re so dangerous around Black Friday; retailers use the same tactics to promote their sales. Black Friday hustles can more easily make wild claims without seeming too scammy. But researchers say that your intuition is the best judge of what’s real and what’s not. You’re never, ever going to see the latest iPhone model for 70 percent off.
“There are usually clues that can help you identify something potentially malicious.”
Yonathan Klijnsma, RiskIQ
RiskIQ searched mobile app stores all over the world for terms like “Black Friday” and “Cyber Monday,” also combining them with top brand names. More than 5.5 percent of the thousands of results were malicious apps that contain credit card number skimmers, adware, malware, or even mobile ransomware. Scams popped up more frequently on third-party app stores than Google Play and Apple’s App Store, but offending apps showed up everywhere. Some also extend their phishing schemes by pretending to have users link the app with a trusted service like Facebook or Google, to steal those login credentials. The researchers found more than 6,000 malicious apps posing as special Black Friday or Cyber Monday downloads from top retail brands.
The growing mobile threat matters, given the rise of smartphone shopping. For Black Friday 2017, the marketing analytics firm Criteo found that 40 percent of all online transactions took place on smartphones, up 11 percent from 2016. Cyber Monday 2017 saw $2 billion in mobile sales.
“Each year around this time, two fluctuations in the threat landscape occur—phishing volume spikes significantly and the themes and targets change,” says Crane Hassold, senior director of threat research at the phishing defense firm Agari. “Around the holiday season there is a reasonable expectation of someone receiving emails from various companies promoting sales or requesting information, so phishers piggyback on this to blend into the crowd.”
“Each year around this time, two fluctuations in the threat landscape occur—phishing volume spikes significantly and the themes and targets change.”
Crane Hassold, Agari
This year’s holiday shopping season faces particular threats from the e-commerce attacker known as Magecart, a constellation of criminal groups known for aggressively compromising retail websites with credit card number skimmers. The hackers place code in a brand’s legitimate website, often a simple keylogger, that records credit card numbers as customers type them into legitimate checkout forms. In recent months, British Airways, Ticketmaster, and the popular electronics retailer Newegg have all suffered Magecart attacks, potentially exposing millions of customers.
“These are mainly classic tricks, but this year is especially dangerous with the all-out assault by Magacart,” RiskIQ’s Klijnsma says. “They are compromising hundreds of e-commerce sites each day and placing their credit-card skimming scripts on them to directly intercept consumers’ information as they make purchases.”
As always, be careful to only shop on legitimate websites and apps, says Scott Grissom, chief product officer at LegalShield. Only download apps from vetted stores like Google Play and Apple’s App Store, and choose the most popular and highly rated version of apps. You can also check the developer account that posted an app if you want to get a sense of its reputation or confirm its legitimacy.
For browsing websites, only click top-ranked search results, or even type URLs in manually if you’re really worried. Check links for typos, repeated letters, or other flaws that could indicate an imposter site. Grissom also suggests keeping an eye on your bank statements and credit card bills so you can catch any suspicious activity quickly. And perhaps most importantly, beware deals that are just too good to be true.
As with all hustles, Black Friday and Cyber Monday scams will try to create a sense of urgency that spurs you to grab deals before they’re gone. “From a protection and prevention standpoint, the same principles apply,” Agari’s Hassold says. “Stop and take a second to think before taking action.”
More Great WIRED Stories