Cyber Monday: Costco and Home Depot phishing emails target shoppers

Two phishing emails have shown up in my inbox in the last two days, masquerading as orders from popular American retailers: The Home Depot (a home-improvement store chain) and Costco (a warehouse club). Both serve as timely reminders that, as Americans recover from their Thanksgiving celebrations and the online search for holiday bargains begins, criminals are also active online, seeking to exploit the seasonal surge in shopping activity, from Black Friday to Cyber Monday, and beyond. Hopefully, it goes without saying that you should delete messages like this right away (if you really are expecting notification about an order from a retailer, confirm it with a phone call, or by typing the company URL into your browser and navigating to the order tracking page).

Here are the bodies of two of the emails that I received. Note that both wish the recipient Happy Thanksgiving Day. The first one, made to look like it came from The Home Depot, misspells “sign up” in the upper-right corner:

fake Home Depot email

Fake Home Depot Email

The second email, supposedly from Costco, says my personal data and that of the recipient of a store order “coinicide”, which really doesn’t make much sense when you think about it:

fake costco email

Fake Costco Email

­­The computers involved in sending the phishes and hosting the faked web sites vary, but include computers in the United States, South Africa and France. With such wide and seemingly-random geographic groupings, it is possible the criminals behind these messages were making use of compromised email accounts exploiting unpatched, vulnerable web sites to host their sites (for a detailed look at an example of how compromised servers used to send malicious spam, see operation Windigo).

The emails themselves give several clues to careful readers that they are less than legitimate. The offer for the order is written broadly, not telling the recipient any order details or the physical location of their nearest store. The messages also use phrasing and grammar that are technically correct but do not sound like American English; another clue to their illegitimacy.

What to do

If you were taken in by one of these scams and entered a credit card number or other personal details to confirm the order, contact your bank or credit card issuer immediately and let them know you were the victim of a phishing scheme. They can monitor your account for fraudulent activity and, if necessary, issue a new card.

If you received an email like one of the above and did not respond or click on anything in it then all you need do is just go ahead and delete the message.

Shopping safe online

These two emails remind us that cyber criminals love to exploit timely topics, including seasonal holidays. For more information about shopping safely online during the holiday season, please see the following We Live Security articles:

And, as always, read We Live Security for current information for your holiday computer security tips and tricks.

Author Aryeh Goretsky, ESET

  • LisaP

    I also got the CostCo one- checked online because I thought it look “phishy” and when I found out it was, deleted it. Thanks for the information.

  • Vicki T

    Same here as LisaP stated. Thanks so much for all the information you give us. I feel much safer knowing you are looking out for us. You ARE appreciated more than you will probably ever know! Vicki T

  • LJ

    I clicking on the details here thing. What should I do????

    • Hello LJ,

      If you visited the website and entered any data such as a bank card number, you should contact the card issuer immediately and let them know so they can issue you a new one.

      Regards,

      Aryeh Goretsky

  • Joanna

    What happens if I clicked on the link “here” on the Costco email? Should I contact my credit card company?

    • Hello Joanna,

      If you visited the website and entered any data such as a credit card or debit card number, you should contact the bank/card issuer immediately and let them know so they can take appropriate anti-fraud measures, and issue you a new card.

      Regards,

      Aryeh Goretsky

  • OldePhartte

    received Costco:
    You can also report to phishing-report@us-cert.gov, Spam@uce.com, and spam@uce.gov. However, past experience of forwarding .eml often gets bounced. Therefore, I am trying a new method: I printed to pdf and attached the pdf.

  • Guest

    I think I encountered another type of phishing last night. I used a relatively new laptop(about 3 months old) to search for “sound bar” deals on line. When I clicked on the link from the search results. A web page(not a pop up message) said the site I was visiting was prohibited by the parental controls and I had to enter administrator password to visit the site. It felt odd since it was a relatively new computer and don’t remember putting restrictions for shopping electronics on it. The message had the parental control logo and it looked consistent with my computers settings so I thought it was a system message. I entered my username and password but I was still not able to access the website. Then it dawned on me that the message was a web page and not a message from my computer. I should have seen the computer settings dialogue(where I can add the website to as a non-prohibited site) if the message was from my computer. So I changed my password right away.

    • Hello,

      Good call on that. If you use the same password elsewhere, be sure to change that, too. There are lots of articles on choosing secure passwords here on We Live Security.

      Regards,

      Aryeh Goretsky

      • Evie

        No thinking straight this morning, I click on the blue link, I got “access denied”, and immediately closed out and trashed the email. Should my info and computer be OK? I did not enter any info.

        • Hello,

          As the link was blocked, it sounds like you (and your computer) are safe.

          Regards,

          Aryeh Goretsky

  • Jennifer Mead

    I have gotten a few of them. Usually the company itself wants you to forward it to them. I was trying spam@costco.com but it returns as a bad address. Guess I will just delete them instead.

  • Bill

    So does this mean Costco servers were hacked? I received the same email. therefore, someone knows this email address did business with costco. I did not receive the phishing email from Home Depot. I never ordered anything from HD with this email address.

    • Hello,

      Not in the least. Neither company’s servers were hacked. I received the emails at addresses which are not known to either company. This was just a random blast of phishing messages sent out to email addresses that the criminals behind the scheme bought, guessed or otherwise harvested.

      Regards,

      Aryeh Goretsky

  • Guest

    Seems like it is not enough to just delete these emails. Where is the button to send a cruise missile back at the sender?

    • Hello,

      Reporting them and deleting them are the best thing you can do.

      I will have to speak to our developers about the cruise missile option. :)

      Regards,

      Aryeh Goretsky

  • MP

    What if you just clicked details and then trashed the message?

    • Hello,

      As long as you did not enter any information, you should be okay. It probably would not be a bad idea to perform a full scan of your computer, though,

      Regards,

      Aryeh Goretsky

  • Robin Farbman

    I think Home depot might want one to forward such bogus emails. I haven’t found exactly where to send.

  • Jeff

    I just got mine. I love the “Blessings to you on a Thanksgiving Day”. Very thoughtful scammers, possibly Nigerian?

    • Hello,

      I don’t have any information about the nationality of the scammers.

      Regards,

      Aryeh Goretsky

  • JLB

    I received the Costco email with an email that appeared to be sent from *****cy@pearlriverhearing.com. I clicked onto the costco site and the website opened. I tried to forward it to Tracy and it did not go through. I did send a personal email after searching online for the store to let her know someone was doing this. I spammed the email. Nothing personal was given. The only thing I did do lately was give Cost Plus World Imports my email and did not register when they sent me an email because the agreement gave them open access to too many things. I spammed them too.

  • Lynn Lynch

    If you get “access denied” when you click the link can your info still be stolen? I did not enter any info and immediately trashed the email. Not enough coffee this morning and I had just ordered on line from Costco

    • Hello,

      You should still be okay since you saw the “access denied,” but it would be a good idea to run a complete scan of your system, just in case.

      Regards,

      Aryeh Goretsky

  • Kay

    I unfortunately clicked on the link in the Home Depot email. I had placed an order from Home Depot online a few months ago, and thought I had been part of the scam. The link contained a Trojan virus, so my anti- virus starting going crazy. I immediately deleted the email, but for two days, the Eset and Anti- malware programs kept quaratining and deleting a virus. Next day I received a Costco email, which I deleted. Obviously, my email has been compromised as part of the original Home Depot mess. Do I need to be concerned about shopping and banking online now that someone undesirable has my email? What extra measures should I take?

  • Guest

    Hello,
    I just received a similar email from Target. I clicked the link and did try and enter my password. It said the password was wrong. I realized that this was a scam and called Target within an hour to cancel my cards (credit and debit). I also clicked the link on my iPhone, not my computer. I guess I’m wondering if I’m safe now. Is the information on my phone compromised? I am so angry with myself for doing this–I usually recognize these things. Thank you in advance for any information.

    • Hello,

      The Apple iPhone should be fine, and you did the right thing by promptly contacting Target.

      Regards,

      Aryeh Goretsky

Follow us

Copyright © 2016 ESET, All Rights Reserved.