Threat Research

Beware of Cybercriminals Preying on Online Shoppers on Black Friday | FortiGuard Labs

Securonix

Fortinet FortiGuard Labs highlights two Black Friday-themed scams: a reused decoy PDF phishing lure and a typosquatting scheme that redirects shoppers to fake sites and surveys. The report also covers a Chrome-based PUA named Chromnius, protection recommendations, and a list of IOCs to help defend retailers and consumers during the holiday season. #Chromnius #LeonviRu

Keypoints

  • The article warns of two Black Friday-focused cyber threats: an old PDF phishing lure and a typosquatting-led campaign targeting shoppers.
  • The decoy PDF Walmart_black_Friday_11_14_20.pdf, though from 2020, was submitted to VirusTotal in 2022, and its first page presents an “I’m not robot” CAPTCHA to prompt user interaction.
  • Users who engage are redirected from leonvi.ru to a fake Amazon loyalty-survey site that promises a chance to win an iPhone, illustrating how old tricks still work today.
  • Typosquatting schemes rely on misspelled or resemble URLs (e.g., blackfriday.com, nlackfriday.com) to redirect to fraudulent or affiliate sites and potentially malware.
  • Examples include redirects to online lotteries or security software pages (e.g., TotalAV) and a Chrome-based browser installer (Chromnius), showing multiple lure types tied to Black Friday traffic.
  • Fortinet provides protections (PDF/Phish.5E08!tr; Riskware/Chromnius; Webfilters) and lists multiple IOCs to help detect and block these campaigns.
  • shopper safety guidance emphasizes due diligence, WHOIS checks, and cautious purchasing practices during the holiday season.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – The decoy PDF (” Walmart_black_Friday_11_14_20.pdf “) is used to lure victims. “The first page of the PDF only includes an “I’m not robot” CAPTCHA human authentication.”
  • [T1204.002] User Execution: Malicious Link – After interacting with the PDF, the recipient is redirected to malicious sites. “The user is first redirected to the website leonvi[.]ru , and then redirected again to a fake Amazon ‘loyalty program’ site that claims the user was randomly chosen for a survey.”
  • [T1583] Acquire Infrastructure – Typosquatting domains are used to lure users to malicious or affiliate pages. “Visiting blackfriday[.]com redirects to an online lottery site” and “n lackfriday[.]com” redirects to other sites.

Indicators of Compromise

  • [File Hash] b3f691d3a768715898bdee25835259585d3a8c708251ddf829ad011379af558f ( Walmart_black_Friday_11_14_20.pdf )
  • [Domain] 1811.mmpairtap.live – fake Amazon survey site
  • [Domain] blackftiday.com – typosquatting
  • [Domain] nlackfriday.com – typosquatting
  • [File Hash] 961a53089f14c69061c3e156bf279550fb108f8023cc54e1086343eca6d3c437 (Chromnius browser installer)

Read more: https://www.fortinet.com/blog/threat-research/Beware-of-Cybercriminals-Preying-on-Online-Shoppers-on-Black-Friday