Black Friday/Cyber Monday Ecommerce Security Threats

With the end of November comes the height of the holiday shopping season — specifically Black Friday and Cyber Monday sales, which typically span the last calendar days of November into the first week of December.

As consumer behavior changes and online transactions become favored over traditional retail-store purchases, Black Friday and Cyber Monday are becoming harder to differentiate. Many retailers extend sale pricing throughout this time period in an effort to maximize profits and engage eager shoppers.

In fact, the total number of online sales for the 2018 holiday sale period was a record ~$7.9 billion, a nearly 20% increase from the previous year.

2018 was also the first year where half of online shoppers came from mobile devices, indicating a shift in consumer behavior.

Adobe’s analytics were particularly interesting, which included a breakdown of 2018’s Cyber Monday online traffic sources.

Sources of Online Traffic Sales

While a social media presence has become a necessity for most online businesses, Adobe’s data shows that strong SEO and email advertising efforts continue to dominate during this period.

Emerging Ecommerce Threats

There are a number of threats that both consumers and website owners need to be aware of during the 2019 holiday season.

BOPIS Fraud

In-store card-present transactions leveraging stolen payment data have been on the decline in the United States, ever since merchants and payment processors rolled out EMV enabled payment cards and POS devices.

New consumer habits, such as buy online, pick up in store (BOPIS), now allow customers to pick up products at a physical locations after purchasing them on the retailer’s website – so these transactions become classified as card-not-present.

CNP vs CP Liability

It is important to differentiate between card-present and card-not-present transactions as they are key to determining who is liable for the fraudulent charges.

If all agreed upon policies are followed, liability falls on either the card issuer or the merchant:

  • Card-present – Card issuer is liable for fraudulent charges
  • Card-not-present – Merchant is liable for fraudulent charges

Since merchants offering BOPIS are liable for fraudulent transactions, it is important that strong authentication processes are implemented to ensure that purchased products are seamlessly handed off to only authorized users.

Unfortunately, there are still retail merchants that have little to no authentication process for in-person pickups, making them likely targets for abuse due to a lack of security controls.

BOPIS Fraud
Availability of stolen accounts containing payment information is abundant. Bad actors often offer to match ZIP codes and locations with the stolen accounts they sell.

This threat also impacts consumers, as they are ultimately the source of the stolen data — whether it is a stolen payment card or a stolen merchant account (e.g Walmart) that already has a saved payment method ready for use.

EMV payment cards can have payment data stolen through shimming, allowing them to be used in card-not-present transactions. They are safe (for the most part) from being cloned and used in card-present transactions. This method — essentially allowing scammers to lift information from chip cards with an EMV microchip — can be used to gather stolen payment card data for use in fraudulent activity like purchasing items in card-not-present transactions.

E-skimming

E-skimming is a threat to any website that accepts payment cards. It involves the execution of malicious code during specific conditions — for example, only on the checkout page. This code captures and transmits the stolen payment card data to the hacker as customers enter it in real time.

How E-skimming Works

Much like physical skimmers, transactions proceed normally. Most users won’t notice that payment card information was being stolen during the process. This is because e-skimmers will often just use one domain and it may look very similar to legitimate domains. In addition, they will also often use cloaking techniques like not loading the e-skimmer if the victim has their browser’s developer tools open when loading the infected page.

We’ve seen a variety of different e-skimmers impacting Magento websites for years, but throughout 2019 the most common credit card stealing malware we’ve found on infected ecommerce websites were variants of this Javascript e-skimmer:

JavaScript Credit Card Stealer Obfuscation

This e-skimmer can obfuscate itself by loading from fake, legitimate-looking domain names.

In one case, this credit card stealer used google-analytîcs[.]com to trick site visitors into thinking it was just a Google service loading in the background, when it would actually load the Javascript e-skimmer shown above.

In fact, e-skimming threats have garnered so much attention that the FBI and US-CERT have released a warning about it for the 2019 holiday season, along with a PDF that does a good job explaining the risks to users.

Phishing

Phishing attacks continue to be a pervasive threat in 2019. Phishing campaigns can be distributed through a variety of methods, but are most commonly circulated via popular communication channels like email, SMS, and messaging applications like Facebook or Instagram.

Phishing Emails: A Closer Inspection

While spam and phishing filters at major email providers have become much better at displaying warnings for suspected emails, they don’t always move suspicious emails to the junk folder.

Let’s examine a phishing email that I recently received.

AppleID Phishing Email Campaign
A suspected phishing email that was delivered to the inbox instead of the junk folder.

From the subject and email content, we can see that the attacker is targeting Apple ID users in this phishing campaign.

This email spreads fear, uncertainty, or doubt (FUD) — a common tactic — by claiming that the victim’s Apple ID has been locked. Attackers bank on the fact that victims will skim this email content, become alarmed by the message contents, and click on the big Unlock Account button.

Once the Unlock Account button has been clicked, the user is sent  to a phishing website to harvest sensitive payment information and other personal details.

Since Apple ID can have payment methods associated with an account, attackers obtain this information by tricking victims into submitting their payment and personal details through a fake “verification process.”

At the time of writing, the landing page for this campaign has since been disabled but was verified as a threat on Phishtank.

What Happens to Stolen Information?

As mentioned in previous posts, stolen credit card information is often resold to other fraudsters through various distribution methods including forums, Discord channels, darknet markets, etc.

Below is an example of stolen payment and personal data for sale.

Stolen credit card and payment information for sale

Due to the Apple ID references in this listing, we can assume this information was phished using a similar method to the one we just described.

How to Spot Check Phishing Emails

If you suspect an email may be legitimate, I would advise verifying with the following steps to be 100% certain.

The first step is to check and verify the sender’s email address. In the phishing sample image above, we can see that the sender’s email address is listed as wdttt8xkh9w@wishingyouarehere[.]com.

If we check on the domain wishingyouarehere[.]com, then we can see it was registered earlier this year and is exclusively used for sending emails through G-Suite/Gapps as it lacks the necessary DNS records to host a website.

[*]      MX aspmx.l.google.com 64.233.185.27

[*]      MX alt1.aspmx.l.google.com 173.194.214.26

...

[*]      SPF v=spf1 include:_spf.google.com ~all

[*]      TXT wishingyouarehere[.]com v=spf1 include:_spf.google.com ~all

Perhaps what is even more revealing is if we search for other domains registered under the same name — Deborah musichouse — we can find an entire list of domains that were registered to this presumably fake name on the same date with the same registrar.

  • wishingyouarehere[.]com     2019-03-07 domains.google.com
  • kaubicarakandenganadarendah[.]net     2019-03-07 domains.google.com
  • whatareyoudoingnow[.]business     2019-03-07 domains.google.com
  • walautaktersisaceritacinta[.]info     2019-03-07 google.com
  • semakinkumemikirkanmu[.]info     2019-03-07 google.com
  • menangislahselagikamubisa[.]info     2019-03-07 google.com
  • danjanganengkaupergilagi[.]info     2019-03-07 google.com
  • berselimutditengahdingindunia[.]info     2019-03-07 google.com

In total, there have been over 100 other domains registered to this fake name at the same registrar and on the same day.

Many of these domains use words from the Indonesian language, which is also suspicious. There are numerous hacking groups that operate from there — if you ever deal with website malware, you may be aware of Indonesian words like gagal which means failed and its counterpart sukses which means success. These terms are often used in many backdoors.

To spot check emails like this for phishing, I would also encourage you to go to the website directly in your browser instead clicking on any of the HTML buttons or links in the email itself. Oftentimes, attackers will conceal the phishing URL behind a series of redirects.

Some of these campaigns even abuse legitimate services that allow redirects, as seen with this malicious URL that redirects through a Tumblr domain.

hxxps://t.umblr[.]com/redirect?z=https%3A%2F%2Fparg.co%2FWLB&t=MDA1NTYxZjkyY2ViNDczZTM0ZmRlZjY2NGQxMWE5N2M2YTA0MzVkNixPeFhLUVpWVw%3D%3D&b=t%3ACaEGyjyYHOdREkaAVkFDTw&p=https%3A%2F%2Fpantekpantek123.tumblr.com%2Fpost%2F188840938847%2Fasu3&m=1?trackID=JPPZCJFUTL70695339

This redirect service can make it more difficult for someone to be able to quickly determine whether it is malicious, increasing the likelihood of them just clicking the redirect link to the phishing page.

Of course there are also other methods of phishing, such as vishing (phishing over the phone), which can be very sophisticated. KrebsOnSecurity has a great article covering this topic, which can be found here.

By LUKE LEAL