The tail end of the calendar year represents arguably the most important period for retailers and companies working in e-commerce, with a huge amount of yearly profits determined in the penultimate two months of the year. This profit is largely generated through the two biggest online sales events of the year, Black Friday and Cyber Monday. Keeping online retail stores running, while also ensuring that customer’s data is protected, is absolutely essential during this period. In this blog, we will give you a run down of the key threats you need to consider over the coming weeks.

Black Friday: A time of opportunity and risk

The Black Friday period represents a hugely profitable yet perilous time for online retailers. Maintaining operations, and the ability to receive and process online orders, is absolutely essential at this time, with outages of even just a few hours likely to result in huge losses. This was a common sentiment during our discussion with clients in the past month, who identified that business continuity was the most important consideration for Black Friday. Although the data is a couple of years old, this sentiment can be seen in the graphic below, highlighting online sales volume by month. 

Online sales volume by month (Source: SaleCycle)

Finding the imposters: Typosquatting and impersonating domains

Last year’s blog on Black Friday identified many of the threats facing consumers during this time of heightened ecommerce activity. This includes an abundance of Black Friday related phishing scams and fake infrastructure. Threat actors creating malicious infrastructure—including impersonating domains, fake mobile applications, and malicious emails—will likely use the event to harvest users’ financial and personally identifiable information (PII).

How can you spot these fraudulent sites? The best method is simple mindfulness and using increased vigilance during this period. Be aware of anything that lands in your inbox unannounced, or otherwise expresses a requirement for urgency; as my father frequently tells me, there’s no such thing as a free lunch and if something appears too good to be true, it probably is. 

Anything that looks out of place in an email or on a domain is key to spotting a scam. Spelling mistakes, branding disparities, or of course, the classic tactic of deliberating misspelling a URL. Typosquatting is a common and effective threat that leverages users’ unsafe browsing habits. For example, a website spoofing Digital Shadows (now ReliaQuest) might present as www.digital5hadows[.]com. An alternate approach often taken by fraudsters is to change a website domain extension, or to use a fake website with a country code top layer domain (ccTLD); this affixes a domain extension that is most commonly assigned to websites associated with a country or sovereign state.

Impersonating domains will often offer wildly appealing deals. Don’t fall for them (Source: Fortinet)

During the research for this blog, we compiled a list of 40 well known retailers and used SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) to find associated impersonating domains. Digital Shadows (now ReliaQuest) identified approximately 14,000 impersonating domains, which were identified by searching between 30 Oct 2022 and 01 Nov 2022. Results were found after starting with 40 seed domains—which refer to a starting point in which we can identify any impersonating material—typically reflecting the retailer’s main website. While this number appears large, in reality it’s just a fraction of the fake domains that are being created every day. This of course doesn’t affect just larger retailers, lesser known brands are just as likely to elicit malicious attention.

For retailers, the best method of staying on top of the many impersonating domains that will surface at this time is to use a DRP service like that offered by Digital Shadows (now ReliaQuest). By using this service you’ll be able to identify brand infringements as they occur, triage the risk over time, and remediate when required. SearchLight’s customized alerting is capable of spotting malicious infrastructure masquerading as your brand, whether that be via domain names, assets types or intellectual property, or even malicious use of company logos. Our managed takedown service can also assist with removing impersonating material, whether that be a phishing site, a fake mobile application, or other infringing content. If you’d like to learn more, why not register for a free demo of SearchLight (now ReliaQuest GreyMatter Digital Risk Protection

The persistence of Magecart:

Magecart, a term often used interchangeably with credit card skimmers or formjacking, entered the common cyber threat lexicon in 2018. British Airways, Ticketmaster, and NewEgg were three of the first victims of this type of threat, with customers’ credit card details stolen after the company’s e-commerce websites were compromised by malware. Magecart allows threat actors to steal credit card information by adding unique scripts into the source code of susceptible payment webpages. Malicious code is typically hidden within an HTML comment, so that it appears benign when placed in the source code. Magecart is designed to read information entered into payment forms on checkout pages, before sending data back to a remote computer controlled by attackers. 

Editor’s Note: To read the full blog, please visit ReliaQuest, our teammates site by clicking here.