This year’s Christmas winners will be hackers. Seriously. Cyber security is currently one of the main issues being addressed around the world. With many people being forced to stay at home due to the Covid pandemic, online shopping is growing. The growth of the e-commerce scene is a major impetus for hackers, who keep coming up with new and more sophisticated strategies. This is one of the reasons why Christmas scams are in full swing, and their rise is even more accelerated by a newly emerging trick which is set to fully appear on 26 November (Black Friday).
As online stores are getting ready for the expected increase in daily sales, we also need to be prepared for the increasing number of cyber-attacks in the upcoming period. This year, due to the ongoing pandemic, this will be true more than ever before. Christmas is a very lucrative time for hackers. With the holiday season and the end of the year approaching, the vigilance of shoppers is often reduced, and people let themselves be tricked by a variety of forms of online fraud.
This has been exploited by attackers for years, and their techniques now increasingly focus on abusing automated systems in order to take a specific action or obtain certain information – the principles of social engineering. In automatically sent phishing emails, fraudsters lure victims with attractive pre-Christmas loans and discounts on electronics, toys, and other Christmas presents in order to get access to cash and sensitive data. They have been increasingly using mobile phones for these schemes.
“We all get packages with ordered Christmas presents. However, with the growing number of these packages, we often lose track of what we have ordered and when it is due to be delivered. Hackers have taken advantage of this and invented a new type of attack where a customer receives an innocent-looking SMS message on their mobile phone,” says Martin Lohnert, the head of the Void Security Operations Centre and an IT specialist at Soitron.
The message says something along the lines that a package could not be delivered and that in order to book a new delivery date or pick up the package, you need to click on the following link. If the recipient does so, it takes them to what looks like the web page of a parcel service delivery company. Since we are usually not familiar with what the websites of shipping companies look like, and we do not even remember who should be delivering which package, it never occurs to us that this may be a fraudulent website.
What is interesting about all this is that if the link is opened from a computer, a genuinely looking website will appear. However, if the link is opened on a mobile phone, part of the website address is not displayed; most people do not notice that. The trick is that the fraudulent part of the address is hidden
“If the package recipient trusts the SMS message and clicks on the link, a phishing web page will appear saying that your package could not be delivered and that you need to specify where and when it should be delivered,” adds Lohnert.
After the victim enters their personal information, such as a name and an address, a message is displayed with an apology and a text that says for the package to be re-delivered, it is necessary to pay a small handling fee.
In the pre-Christmas rush, people usually do not have much of a problem to pay a little extra money just to make sure they actually get a long-awaited package. Such payments are made by card. The trick is that after the card details are entered, the fraudsters do not deduct a small fee. They completely steal your identity instead.
At this point, the hackers have all they need. They have your mobile number, contact address, and your payment card – they know your identity and your payment details. Such a full-detail package has a high value on the black market. “Logically, these scams can be expected to appear the most on Black Friday and in the following two weeks,” says Lohnert in conclusion.
We are in the process of finalizing. If you want to be redirected to our old version of web site, please click here.
