Threat Research

Check Point Research Warns Shoppers to Stay Alert this Black Friday as Hackers Launch Their Own Holiday Specials – Check Point Blog

Securonix

Check Point Research warns of a sharp rise in fake shopping-related sites and phishing campaigns ahead of Black Friday, including impersonation of Louis Vuitton and DHL delivery scams. The report highlights lookalike domains, malicious emails, and delivery-themed phishing, urging shoppers to verify sources and beware suspicious links. #LouisVuitton #DHL

Keypoints

  • Surge in fake shopping websites ahead of Black Friday, including lookalike Louis Vuitton sites and related campaigns.
  • 17% of all malicious files distributed by email in November related to orders, deliveries, and shipping.
  • Since the start of the month, 4% of all new shopping-related websites were found to be malicious.
  • Louis Vuitton phishing campaign used spoofed emails (e.g., psyqgcg@moonfooling[.]com) and lookalike domains (jo[.]awojlere[.]ru) to redirect victims to fraudulent sites.
  • Delivery/phishing scams impersonated DHL with links like https://lutufedo[.]000webhostapp[.]com/key[.]php to harvest credentials.
  • The article provides six practical tips to stay safe during online shopping: verify sources, watch for similar domains, beware “too good to be true” offers, look for HTTPS/padlock, use endpoint security, and be cautious with password-reset emails.

MITRE Techniques

  • [T1566.001] Phishing – Spearphishing Email – The malicious email used a spoofed brand and enticing subject to lure clicks, e.g., “The email contained the subject line ‘Black Friday Sale. Starts at $100. You’ll Fall In Love With Prices.’ … persuade the victim to click on two malicious links within the email.”
  • [T1566.002] Phishing – Spearphishing Link – The campaign directed victims to malicious URLs such as “jo.awojlere.ru” and related domains to harvest credentials or deliver further malware.

Indicators of Compromise

  • [Domain] 88off-bags.co, 87off-bags.co, 86off-bags.co, 89off-bags.co – lookalike Louis Vuitton domains used in fake shopping sites and campaigns
  • [Domain] jo.awojlere.ru – domain used in Louis Vuitton phishing links
  • [URL] http://jo.awojlere.ru/khasikdhiasd97s8d755f45sa4df654asd54asda5s4f6as4fd65asd/54846984c8as48d974a1c8sa7d68as76f84sa6f846sa[.]html – malicious link in a phishing email
  • [URL] https://lutufedo[.]000webhostapp[.]com/key[.]php – credential-stealing link tied to delivery-themed phishing
  • [Email Address] psyqgcg@moonfooling[.]com, support@consultingmanagementprofessionals[.]com – sender addresses observed in phishing campaigns

Read more: https://blog.checkpoint.com/2022/11/17/check-point-research-warns-shoppers-to-stay-alert-this-black-friday-as-hackers-launch-their-own-holiday-specials/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint