A new holiday season scam campaign is plaguing social media – and this time it’s pretending to sell heavily discounted Uggs, reports ESET’s Ondrej Kubovič.
The festive season is upon us, and apparently, it is also the time for more dirty business from cybercrooks. A new holiday season scam campaign is plaguing social media – and this time it’s pretending to sell heavily discounted Uggs, as well as other popular shoe and clothing brands.
The scam ads are spread via emails as well as legitimate Facebook accounts compromised by cybercriminals with help of social engineering tactics and/or malware. Without the consent of the profile owner, they post pictures promoting the fake goods with unrealistically low prices.
To maintain a low profile, attackers only tag a few people from the friend list on each of the bogus ads:
The way these cybercrooks operate is very similar to previous cases, where bogus Ray-Bans were the primary merchandise. Just as before, payment card details, as well as the money of unaware Christmas shoppers, seem to be the target of the attackers.
Fake e-shops resemble their legitimate counterparts, however, the transactions run directly on the site, not via a secure payment portal. This allows the payment card’s details to travel unencrypted across the internet.
Bogus websites also differ by not using an SSL certificate to encrypt communications between client and server. For the user, this is easily visible in the URL as the websites use an HTTP protocol instead of the considerably more secure HTTPS. Without encryption, any inserted details can be read and stolen by the attackers.
These fake e-shops were created only recently and are primarily registered in China. Some of the scam e-stores observed are listed below:
The festive period represents a large window of opportunity for malicious ads, as they can easily blend in with the vast number of legitimate counterparts. Therefore, users should be extremely vigilant at this time of the year, especially if there is anything suspicious about the offers such as misspellings, unrealistically low prices, and a missing or invalid SSL certificate for the e-shop promoting them.
If you are one of those shoppers who waits until the last moment to pick up gifts, here are a few tips that will help you purchase them safely, and keep both your money and payment card details from the sticky hands of cybercrooks.