|
Black Friday and Cyber Monday are two of the most-awaited shopping events each year. That said, they have also become favored scammer targets for the most ingenious campaigns designed to part shoppers with their cash or, worse, identities.
Over the years, we’ve seen the worst Black Friday and Cyber Monday scams—fake order, phony tracking number, bogus website, hot deal, and fake charity scams—line cybercriminals’ pockets. We’re quite certain we’ll see many of them this year as well.
We at Threat Intelligence Platform (TIP) thus sought to exert due diligence to hopefully lessen the risks online shoppers may face. Our in-depth investigation uncovered:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our investigation by scouring the DNS for domains and subdomains created just this year that could serve as potential vehicles for Black Friday and Cyber Monday-related scams. Our searches led to the discovery of 358 web properties—180 domains and 178 subdomains specifically.
A majority of the domains (47 or 25%) were created just last month while 42% of the subdomains or 77 to be exact were found as soon as the year began. The chart below shows a comparison of the domain and subdomain registration growth volumes throughout the year.
Based on the domain registration volume trend, the highest number of potential scam page hosts were created about two months before the events. The subdomain addition volume trend, meanwhile, peaked in January.
TIP screenshots showed that 30 of the domains and 66 subdomains currently host live content. Examples of those that look like online shopping pages are shown below.
Closer scrutiny of the web properties also revealed that a majority of both the domains (96) and subdomains (103) contained the string “deal.” Note, though, that each string can appear in more than one cyber resource.
The top 3 domain strings that appeared alongside “blackfriday” or “cybermonday” were “deal,” “sale,” and “coupon,” as shown in the word cloud below.
“Deal,” “sale,” and “discount,” on the other hand, were most used among the subdomains, as shown below.
Interestingly, the pages’ WHOIS records showed that only nine of the domains and subdomains were likely owned by legitimate businesses based on the registrant email addresses their owners indicated. We couldn’t exactly determine the ownership legitimacy of the remaining 191 web properties whose WHOIS records have been redacted.
We were, however, able to retrieve six unredacted registrant email addresses that have been used to register 4,519 domains throughout their existence. A bulk TIP malware check showed that 34 of these were dubbed “malicious” by various malware engines.
TIP IP geolocation data also showed that 305 of the digital properties resolved to 484 IP addresses, most of which were geolocated in the U.S. (285) and Canada (57), which isn’t surprising since the events have to do with Thanksgiving Day celebrations. What is a bit surprising, though, is that some IP addresses were geolocated in countries that don’t celebrate the holiday, such as Germany, South Korea, and the Netherlands, among 20 others. A possible explanation is that these countries may have local celebrations.
Additionally, 273 of the IP hosts were shared by at least 36,973 domains and subdomains, 61 of which were confirmed malicious—60 were malware hosts and one was a spam sender.
While none of the Black Friday and Cyber Monday-related domains and subdomains we uncovered have been dubbed “malicious,” many of them could be hacked or weaponized to serve as malware hosts or phishing pages. Our more in-depth investigation, however, led to the discovery of 95 malicious web properties tied to the Black Friday and Cyber Monday domains and subdomains initially found, either by shared registrants or IP hosts, that could put online shoppers at great risk.
TIP, aided by WHOIS and DNS tools, through phishing surface identification and IoC list expansion efforts, can thus help organizations and individuals alike avoid the by-product perils that the biggest sales events of each year may bring.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byRadix
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global