New Phishing Scam Offers Luxury Brand Prizes

Recent Email Phishing Scams Target Holiday Shoppers

Christmas shoppers are featuring prominently on the radar of criminal hackers that have already launched a mind-boggling undetectable phishing scam. So far, the threat actors have imitated the websites of some big USA brands such as Delta Airlines, Tumi, a luxury luggage company. They have also added warehouse clubs like Costco and Sam’s Club to trick shoppers.

For the fake websites created for the listed brands, the hackers even include false testimonials highlighting awarded incentives to boost their scam campaign’s effectiveness. These phishing sites, according to cyber analysts, show that the threat actors used basic lures to attract unsuspecting victims. The lucrative prize often entails a chance to win products from global companies such as Amazon, Apple, Samsung, Microsoft, and other renowned brands.

September marked the start of this ruthless and sophisticated phishing campaign, noticeably cheating North Americans out of their hard-earned cash. So far, hackers have been targeting mostly shoppers making purchases for Halloween, Labor Day, and even the Thanksgiving celebration.

Hard to detect phishing techniques

Akamai Technologies Inc revealed that the hackers’ tool kit comprises a number of evasion detection techniques that trap victims on phony webpages. Meanwhile, it makes it impossible for law enforcers to track its movements. The researchers documented that the revolutionary token-based phishing kit utilizes just a randomized URL.

What’s more, the phishing sites are geo-targeted and usually fake themes of local companies. Also, the links sent in the email appear safe but they are coded to redirect victims several times before taking them to a fraudulent phishing website through a shortened URL.

In addition, an anchor (#) is used in the redirect link to successfully take victims to a linked landing page, and even to bypass 2FA two-factor authentication. The nefarious hackers have also been able to host their fraudulent websites on cloud providers like Azure, Google, and AWS.

Fake 5 Minute Survey Trap

The big lure that captures the attention of victims is the lucrative prize offered just for taking a five-minute survey. And while they’re excited about winning the promised prize, that reward, in the end, pales in comparison to the danger that lurks from the dark web.

Next, the euphoric moment begins, the hackers asked victims to pay a small fee to cover the shipping charges to mail the prize. The duped victims are prompted to provide their credit card information to process the payment, but of course, the credit card info is stolen by the threat actors, and the promised gift is never received by the victims.

New Christmas Scam

The unique yet complex phishing campaign has been quite successful, thanks to that little ‘#’. With this sophisticated scam, that anchor tag is very hard to track, as it is a JavaScript token used to reconstruct the URL that redirects the victim to the hackers’ website.

More importantly, the HTTP parameters have no value and won’t be delivered to a server, but the victim’s browser’s JavaScript code will still be able to access the fake site. Thus, the phishing scam easily bypasses antivirus security tools.

Browser redirections that don’t render in JavaScript won’t work, so the only way to access the site is through the email link sent in the original lure email. This latest phishing scam is especially formidable for those looking to do some Black Friday and Christmas shopping this year.