December 11, 2018updated 03 Jan 2019 2:28pm

Consumers left vulnerable as cybercriminals deliver online shopping spam campaigns for Christmas

By Luke Christou

While the methods used by cybercriminals to steal data and access accounts seem to getting more complex – from criminal organisations impersonating CEOs to breaching databases containing the credentials of hundreds of millions of users – new research shows that the oldest methods are still the most common.

According to cyber security provider F-Secure, spam campaigns are still the cyberattack method to watch out for this Christmas.

Spam emails account of nine in every 10 attempts made by cyber criminals to infect devices.

However, with consumers becoming more aware of these threats, December is the season to be jolly for cybercriminals as online shoppers are bombarded by purchase invoices and shipping updates.

In 2016, some 154 million United States citizens made a purchase on Black Friday, which kicks off the Christmas shopping season. Approximately 70% of those purchases were made online, and with Christmas approaching the number of purchases made in the month that follows likely increases too.

Because of this, according to F-Secure’s Behavioural Science Lead Adam Sheehan, spam campaigns are more effective during the holiday period.

This year these spam campaigns have increasingly been delivered in the form of fake delivery notifications or online shopping receipts. These emails will alert users of a delivery or a purchase, and ask for the user to click a link to view more details, such as a delivery time or purchase invoice. This link leads to a website which then downloads malicious files that infect the system.

“The kind of spam that criminals use doesn’t seem to be spammy to a lot of people this time of year,” Sheehan said. “More people are just more open to the commercial messages spammers like to spoof, which makes individuals more vulnerable at home and at work.

“Tests we performed using simulated Black Friday and Cyber Monday phishing emails saw about 39% more people click than similar tactics we use at other times during the year, which isn’t a trend we like to see.”

A cyber criminal’s Christmas list

F-Secure’s research showed that the most common malware families delivered through spam email campaigns are Emotet, Trivkbot and Panda, which are designed to capture a user’s online banking credentials, with the likely goal of gaining access to bank accounts.

These campaigns are commonly designed to target users in high wealth, consumerist countries such as the United States, United Kingdom, Canada and Japan.

While attacks such as Wannacry and Petya highlighted ransomware – malicious software that locks users out of their files until a ransom is paid – F-Secure found that ransomware accounts for just 6% of malware sent through spam campaigns.

The majority of malware delivered acted as a downloader, bot or backdoor, essentially using the user’s system to conduct further cybercriminal activities. These sort of exploits, which accounted for 52% of all activity seen by F-Secure, are often used to deliver additional malware such as ransomware or banking Trojans.

“It’s true that we see less ransomware as the main payload in these spam emails, but it’s still frequently delivered as a follow-up payload by backdoors or bots,” F-Secure researcher Patricia Revilla-Dacuno said.

While little has changed in the way that cybercriminals deliver malware, the capabilities of these malicious files, once installed on a user’s system, are constantly evolving.

“Infection chains are becoming more complicated and the Emotet banking Trojan, which is fairly common, has evolved into a credential stealer and downloader, and now used in different ways for a variety of schemes,” Revilla-Dacuno said.

“A couple of years ago we could have confidently pointed to ransomware as a big issue, but now there’s more of a variety of threats to watch out for.”

New Christmas cyber scams to watch out for

While cyber criminals continue to rely on spam as their main method of compromising computer systems, KIS Finance has warned of some innovative new scams that consumers should watch out for this Christmas.

According to the UK-based financial broker, scammers are appealing to our charitable side, impersonating charity organisations to ask for ‘donations’. These are usually in the form of phishing emails, but scammers also set up fake websites that mimic charity websites in an attempt to defraud customers.

This scam comes in various forms. Cybercriminals may also attempt to deceive shoppers with fake shopping websites or auction platforms, selling goods that will never be delivered. By falling for these scams, not only will you lose the money that you spend, but you also expose your banking details, putting yourself at risk of further fraud.

Social media is also increasingly being used to trick internet users into handing over money. Earlier this year, scammers compromised various ‘verified’ Twitter accounts, where messages asking for bitcoin payments in exchange for a reward were sent out. According to KIS Finance, hackers could use compromised social media accounts to target family and friends of the account’s owner, sending out pleas for a loan in order to afford Christmas presents.

As well as the usual varieties of phishing emails – from fake delivery notices to offers of financial reward – some criminals are also taking advantage of the time of year by sending out malicious Christmas e-cards.  By asking the user to click a malicious link or download a malicious file in order to view the e-card, this is an easy way to trick users into compromising their systems and personal details.

Topics in this article: