The holidays are approaching – and eager shoppers, prepared to spend an expected $78 billion total online, are scouring the Internet for deals. With this purchasing power on the rise, we expect to see an increase in online security risks as well. As a precautionary measure before this retail marathon, US-CERT released advisories reminding Internet users to stay aware of seasonal scams and cyber campaigns, which might take the form of:

  • electronic greeting cards that may contain malware
  • requests for charitable contributions that may be phishing scams and may originate from illegitimate sources claiming to be charities
  • screensavers or other forms of media that may contain malware
  • credit card applications that may be phishing scams or identity theft attempts
  • online shopping advertisements that may be phishing scams or identity theft attempts from bogus retailers
  • shipping notifications that may be phishing scams or may contain malware

Consumers usually don’t recognize the reality of these risks, so we carried out a quick study to examine a few cases where bad guys are crashing the party with their nasty tricks. 

So, where do you look first? 

It seems like a simple starting question, but if you really think about it, it’s the only critical differentiator between a preventive approach and a reactive security solution. (A reactive solution doesn’t need to ponder on questions like this often. They react when problems are brought in front of them.)

We start the hunt by grabbing domains that use holiday shopping deals as a lure. To get the newest currently active domains, we rely on the ZMQ real time streaming framework detailed in this blog.

A JQ one-liner will make the system spit out any names of interest:

jq '. | select(contains({name:"blackfriday"}) or contains({name:"cybermonday"})) | .'
  
    blackfridaymenscologne2013.com
    blackfridayvoya.info
    blackfriday-romania.com
    blackfriday-deals-2013.com
    blackfridayretailsales.com
    blackfridaydresswatches.com
    bestbeatsblackfriday.com
    bestnorthfaceblackfriday2013.com 
    blackfridayxboxgame.us
    uggsblackfriday2013.net
    shopforblackfridayonline.info
    blackfridaynikeservices.com
… …
 

And we have a winner:

blackfridayromania.cu.cc

You don’t want to shop on the Russian Business Network. The IP of this domain is hosting plenty of questionable stuff (shown as red nodes in the picture below). 

 
Screen Shot 2013-11-26 at 3.07.27 PM 

 

The following domains were spotted due to their anomalous traffic volume, and the IP rings (omitting 64.191.50.71, 64.191.50.72 that are showing the same patterns) bring up even more affiliated domains. 

weekend-eharmony.at
blackfriday-laptops.at
cybermonday-deals.at
kohlsblack-friday.at

Let’s take a closer look:

 shopping

shopping2
 Screen Shot 2013-11-25 at 11.55.06 AM Screen Shot 2013-11-25 at 11.58.01 AM 
 

As you can see, the threat is very real – especially for consumers who may not be tech-savvy. Reviewing and sharing the US-CERT advisories referenced earlier can help to mitigate the damage – be sure to pass them along to any family or friends bent on shopping online this weekend. You can also share our Phishing Quiz

The only thing that should be pwned this holiday season is your diet, so don’t let a shopping experience gone wrong leave a bad taste in your mouth!