It’s that time of year again. Thanksgiving will pass just as quickly as it arrived, and the festive season will soon hit full swing as countless people go online for some gift shopping. But where there’s a gift to be bought, there’s also a scammer out to make money.
And make money they do. In the last five years, the Internet Crime Complaint Center (IC3) said it has received 3.79 million complaints for a wide range of internet scams, resulting in $37.4 billion in losses.
Today, we’re warning of several online threats that could target you over the next few weeks and months: brand impersonation and fakes, credit card skimming, and malvertising.
This Black Friday and beyond, you’re likely to see scammers ripping off big name brands. Here are a few fakes you should look out for.
Scrolling through Facebook, we were presented with a couple of posts advertising discounted PS5s.
“Quit overspending on PS5! This one I got off TEMU is AWESOME and is much cheaper. I’d highly recommend picking this up!”
Of course, it’s tempting to get a discount on high-value items like a PlayStation 5, but Temu doesn’t actually sell PS5s.
If you click the play button on the “video,” you are instead redirected to a Temu page selling various PlayStation accessories that are not official or in any way approved by Sony.
Amazon is relatively low cost, it’s convenient, and you can look at someone’s wish list on there. Except in this scam we caught online, the website isn’t really Amazon—check out the URL.
Fake online stores like this use Amazon’s branding to sell counterfeit products. Even if you take the risk and buy a knock off product (which we think is a bad idea), you have no guarantee of receiving the merchandise, and definitely no buyer protection.
Nothing says “I saw this and thought of you” like a Walmart gift card on Christmas day. But make sure you are buying from the right website.
Again, in this example, check out the URL—this website might look Walmart, but it’s a fake that will happily take your money in exchange for nothing.
If you’re taking advantage of Black Friday sales and buying many things at once, it can be tricky to keep track of what you’ve ordered. Even if you do know what’s coming, you often don’t know which package service will deliver it to your door. Scammers take advantage of this and will send fake delivery notice emails that encourage you to click on them.
With this fake USPS site, you are asked to pay a small fee to have your delivery processed. However, once you hand over your card details the scammers can take whatever amount they like and sell your details to other criminals.
These scams are very common. In fact, when we looked, we saw 50 fake USPS sites set up in only a day:
We’re seeing a lot of online stores hosting credit card skimmers, especially smaller retailers.
A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses.
When visiting a site that has a card skimmer on it, you’ll likely have no idea it’s even there. However, a single script injection is enough to steal your credit card data.
Last year, we saw a large uptick in card skimmers just before the holiday season. One particular campaign that we tracked peaked in April 2023, but then really slowed down during the summer months. Across months, cybercriminals had infected multiple websites and built custom templates to trick victims into handing over their credit card details. By October, the same campaign had increased to its highest volume yet, and it is highly likely that this year will be the same.
When looking at compromised websites, it can be hard to tell what—if anything—is wrong. However, if a site looks like it hasn’t been maintained in a while (for example, it displays outdated information, such as ‘Copyright 2022′) you should avoid entering in your card details. Most compromises happen because a website’s CMS and its plugins are outdated and vulnerable.
Our free browser extension Malwarebytes Browser Guard blocks credit card skimmers by default. If you visit a compromised store you’ll be shown a warning like this:
Access to the store isn’t blocked, we just block the skimmer code so it can’t load. And while you could in theory still shop safely, we’d still advise you to avoid buying anything from there.
Malvertising—or malicious advertising—is a favorite of scammers, who use online ads and sponsored search results to deliver malware to their unsuspecting victims.
Malvertising doesn’t require that criminals know a victim’s email address, login credentials, or personal information to deliver them malware. All the scammers need to do is fool someone into clicking on an ad that looks legitimate.
Last fall, Malwarebytes tracked a 42% increase month-over-month in malvertising incidents in the US. This year we’re seeing a similar uptick, with a 41% increase from July to September as we head into the holiday shopping season.
In terms of the actual advertiser accounts that are used in malvertising campaigns, most are based in the US and are set up using a combination of fake identities or hijacked accounts. However, according to our research findings, ads originating in Pakistan and Vietnam account for 90% of the fraud.
Most (77%) of the accounts are used once only—created quickly and then burned. Once that account is dead, cybercriminals spin up the next one and on it goes.
No brand is safe from malvertisers. We’ve tracked campaigns that spoof Google, Amazon, eBay, Walmart, Lowe’s—and even Malwarebytes.
Our advice: It’s not always easy to tell a real ad from a scam, so it’s best to avoid clicking on sponsored ads at all. Use genuine search results or navigate directly to the site yourself.
Thanks to Jerome Segura for his research on this piece.