Despite some early deals, Black Friday officially begins on 24th November, kick-starting over a month of consumer spending over the holiday period. This year, it’s expected that a whopping $862 billion dollars will be spent during this season. A significant chunk of this is online sales, with $116 billion set to be spent. Cybercriminals also look to get a slice of the holiday sales action.

 Cybercrime and the holiday season

In our recent webinar and whitepaper, we identify cybercrime risks to retailers and consumers:

  1. Payment Systems Risk – How cybercriminals acquire payment card information, through Point of Sale (POS) malware and skimming.
  2. Fraudulent Transactions – The monetization of this payment card information, through Card Not Present (CNP) fraud and eGift cards.
  3. Account Takeover – Fraudsters that look to log in to consumers accounts, be that the retailers or payment platforms. Phishing and credential stuffing are prime techniques for this.
  4. Loss of Service – With so much money spent online, the threat of Distributed Denial of Service (DDoS) is a real threat to retailers. Cybercriminals know this and look to extort companies.

Amid all of these risks, criminals look to help each other out. For example, in one instance, one actor on shared templates for phishing pages (Figure 1) in a criminal forum. This scam page is well made and has some interesting functionality, including the ability for victims to authenticate with ID cards and passport photos and auto-redirecting victims to the legitimate site.  With this template available for free, actors need only register a convincing-looking domain.

scampage advertisement

Figure 1: An advertisement for a phishing “scampage” on a criminal forum.

 ID upload feature screenshot

Figure 2: A screenshot of the ID upload feature from a demonstration video, which allows attackers to harvest additional information.

Fraudsters also share software. In Figure 3 we see the AntiDetect tool, which any carder worth their salt will be using. Carders know that retailers use device fingerprinting to detect fraudulent transactions, so the ability rotate and quickly change system components like browser type, version, language, time zone, and user agent. You can read more about this particular tool in an article by Brian Krebs.


AntiDetect tool

Figure 3: The AntiDetect tool to overcome browser fingerprinting controls.

 Of course, there are criminals that look to exploit this interest in tool-sharing by disguising malware as carding tools. Figure 4 is an example of an actor claiming to share such tools – in this case a PayPal email checker. Unsuspecting downloaders may get more than they bargained for when downloading this .exe file. It’s a cliché, I know, but there’s no honor amongst thieves.


Criminal forum example

Figure 4: A tool to “check email paypal” available for download and advertised on criminal forums.

Nevertheless, with criminals so open to sharing so many tools and tactics, it’s a reminder to organizations to do the same; make use of sharing communities such as R-CISC and Infraguard to stay abreast of these latest criminal approaches.


You can watch our webinar or download our latest whitepaper to learn more about these tactics and tools, as well as tips for retailers and consumers to follow in order to mitigate these risks.