How Cyber Criminals Capitalized on the 2018 Holiday Shopping Season

By Jordan Herman, threat researcher, RiskIQ

The 2018 holiday shopping season was a financial boon for retailers, but threat actors filled their pockets too. The flurry of shopping activity saw retail sales in the U.S. grow 5.1 percent between November and Christmas Eve, reaching more than $850 billion. It was the best holiday shopping season since 2012. But where there’s money changing hands, you can count on hackers looking to scoop some up for themselves.

So what did the threat activity around the 2018 holiday shopping frenzy look like? To better understand what retailers were up against over the holidays, our team collected data from the two billion websites we scan per day in 783 locations around the world, looking for instances of malicious apps and URLs. Using Alexa’s rating system, we researched ten of the most trafficked brands between Black Friday and New Year’s Day. Here’s a summary of what we found.

How the holidays played out: 

Blacklisted apps are on the rise.                                                                     

We identified 169,138 malicious apps in our Q3 Mobile Threat Landscape report. That’s a 220 percent increase from Q2, and this trend continued into the holiday shopping season. Here’s what you need to know:

• 12,905 total blacklisted apps contained branded terms from the ten most trafficked sites over the holiday shopping season, a 48.7 percent increase over our Black Friday Blacklist report.

• 4,628 Blacklisted apps containing “Christmas” in the title or description were blacklisted as malicious, representing 4.5 percent of the total that can be found by searching “Christmas” in global app stores.

• The ten most trafficked brands averaged over 17 blacklisted apps each containing both its branded terms and “Black Friday” in the title or description, and 21 blacklisted apps contained both its branded terms and “Christmas” in the title or description. The use of these terms shows clear intent by threat actors to leverage the shopping holiday to their own ends.

Holiday-tagged malicious URLs are on the rise.

For our research into web properties, we looked for instances of their branded terms appearing alongside the terms “Black Friday,” “Cyber Monday,” and “Christmas” in blacklisted URLs or cause-page URLs (pages that send users to another page hosting something malicious).

Threat actors build malicious infrastructure to leverage in their threat campaigns. We queried our Global Blacklist for URLs of malicious pages or pages that lead to malicious sites that leverage these brands as well as “Black Friday” and “Cyber Monday.”

We found the following:

• 1,502 cause-page URLs contain “Black Friday,” a 51.5% increase over the Black Friday Blacklist report
• 1,521 blacklisted URLs contain “Black Friday,” a 51.8% increase
• 1,628 blacklisted sequence URLs contain “Black Friday,” a 52% increase
• 84 cause-page URLs contain “Cyber Monday,” a 425% increase
• 514 blacklisted URLs contain “Cyber Monday,” a 31% increase
• 559 sequence URLs contain “Cyber Monday,” a 35% increase
• 6,469 cause-page URLs contain “Christmas”
• 4,561 blacklisted URLs contain “Christmas”
• 8,571 blacklisted sequence URLs contain “Christmas”
• 15 cause-page URLs contain “Boxing Day”
• 10 blacklisted URLs contain “Boxing Day”
• 11 sequence URLs contain “Boxing Day”

Mage cart didn’t sleep.

“Mage cart” is an umbrella term referring to at least 15 different cybercrime groups that place digital credit card skimmers on compromised e-commerce sites at an unprecedented rate. Their success in stealing credit card information is frightening. With the uptick in online sales over the holiday shopping season, Mage cart activity showed no signs of slowing down.

We detected 6,929 unique Mage cart incidents between Black Friday and New Year’s Day — that’s more than 177 incidents every day.

How to protect your digital assets any time of year.

The key to protecting your digital assets begins with knowing what you’re responsible for. Security teams usually only monitor in-network activity, but what about third-party operations? In the Ticketmaster supply chain attack, hackers placed a digital skimmer on Ticketmaster websites through the compromise of a third-party payment platform called Inbenta, an example of a digital asset sitting outside a brand’s firewall while still being vulnerable.

Today’s digital attack surface is everything outside the firewall, a collection of far-flung client-facing assets that hackers can (and will) discover as they research their next threat campaigns. Assets outside the firewall — like the threat infrastructure covered in this report — enabled some of the worst hacks of 2018, and they will continue to be targeted into the future.

When organizations implement attack surface management, they can truly begin to understand what they look like from the outside in, and they can start developing a strategy that lets them discover everything associated with their organization on the internet, both legitimate and malicious. Then they can shrink their attack surface down to size.

While high shopping seasons bring a sense of urgency for consumers to grab the best deals, it’s essential for consumers and brands alike to take a moment to understand what they’re up against, they need to evaluate the security of their purchases and platforms respectively.

About the Author

Jordan started working in information security in 2014 when he cut his teeth as a SOC analyst and sysadmin at a small MSS. He graduated to threat/research analyst at RiskIQ in 2016 has helped to surface and track various threats, including several mage cart groups, since that time.  He’s currently learning more about data analysis and visualization to make better use of RiskIQ’s deep pools of information.