Holiday Shopping Frenzy Fuels Surge in Black Friday Week Cyberattacks

Cyberattacks on consumers and retailers surged during Black Friday week, according to a report released Wednesday by a cybersecurity platform provider.

The provider, Darktrace, of Cambridge, England, reported that an analysis of its customer data for November revealed a 327% increase in worldwide Christmas-themed phishing from the first week to the last week of the month and a 692% increase in Black Friday-themed sorties.

The threat landscape in the United States was considerably worse, the report noted, with phishing attacks mimicking major holiday brands, including Walmart, Target, and Best Buy, rising by more than 2000% during peak shopping periods.

Darktrace researchers also found that scammers began shifting their attention from businesses to consumers as the holiday shopping season got into high gear. The impersonation of major consumer brands grew 92% globally between the analyzed periods while mimicking workplace-focused brands declined by 9%.

“While we didn’t look at a year-on-year comparison in this analysis, we believe the rise of AI combined with automation and growing cybercrime-as-a-service marketplaces is increasing the speed, scale, and sophistication of cyberattacks, including phishing,” Darktrace Vice President of Threat Research Nathaniel Jones told the E-Commerce Times.

“With generative AI, the barrier to entry of phishing and malware has been lowered, creating a lot more danger for users as they do their holiday shopping,” Jeff Wolverton, CEO of PiviT Strategy, an IT consulting and managed services provider, in Charlotte, N.C., told the E-Commerce Times.

Jones added that one sophisticated technique that has been increasing in prominence is thread hijacking. “Thread hijacking typically involves attackers gaining access to a user’s email account, monitoring ongoing conversations, and then inserting themselves into these threads,” he explained.

“By replying to existing emails, they can send malicious links, request sensitive information, or manipulate the conversation to achieve their goals, such as redirecting payments or stealing credentials,” he continued. “Because such emails appear to come from a trusted source, they often bypass human security teams and traditional security filters.”

Improved Fake Stores

“This year, it appears that the quantity of fake online stores has increased,” added Erich Kron, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla. “This is likely due to improvements in tools and the use of AI to generate fake sites, create item descriptions, and write fake reviews in an effort to make the sites seem legitimate.”

He explained that by using freely available tools, bad actors can easily and quickly mimic an entire website, including images, logos, and other identifying features. “It’s then relatively easy to create a domain name that appears to be that of the legitimate brand or an affiliate of the brand they are copying,” he told the E-Commerce Times.

“Even though these websites are typically taken offline very quickly, the ease with which they can be created counters the disadvantage of them being shut down quickly,” he said.

Mika Aalto, co-founder and CEO of Hoxhunt, a provider of enterprise security awareness solutions in Helsinki, explained that holidays contain more travel and gift-buying activity along with heightened emotions, so there are a lot more psychological buttons available to hackers during this season of giving.

“Package delivery-themed phishing campaigns are common, and we see a number of Amazon spoofed sites that lead to credential harvesters,” he told the E-Commerce Times. “Travel-themed phishing campaigns might notify a victim that their flight has been canceled, so in a panic, someone might click something they otherwise wouldn’t and download malware that could compromise their system.”

Mobile Dilemma

Leading up to Black Friday and throughout the holiday season, threat actors like to capitalize on themes like deals or coupons, added Selena Larson, a senior threat researcher at Proofpoint, an enterprise security company in Sunnyvale, Calif.

“We also see threat actors leverage end-of-year themes like bonuses or pay raises to entice users to engage with malicious content,” she told the E-Commerce Times.

Consumers need to be particularly careful when responding to potential deals on their mobile phones. “Make sure that you are on an official site before you perform a transaction,” cautioned Krishna Vishnubhotla, vice president of product strategy at Zimperium, a mobile security company based in Dallas.

“Since mobile devices have a smaller form factor, this will be extremely difficult,” he told the E-Commerce Times. “Bad actors will redirect you over and over again to confuse you and make you land on a fake website. Unfortunately, there is really no way to know where these sites are hosted so that you can make a smart decision based on that information.”

Dark Web Discounts

The surge in holiday-themed phishing attacks reflects how cybercriminals expertly time their campaigns to blend in with the heightened volume of legitimate retail communications and capitalize on consumers’ reduced scrutiny during peak shopping periods, observed Stephen Kowski, field CTO with SlashNext, a computer and network security company, in Pleasanton, Calif.

“The massive spike in retail brand impersonation attacks targeting major retailers demonstrates how threat actors are becoming increasingly sophisticated in exploiting seasonal consumer behaviors and shopping patterns,” he told the E-Commerce Times. “Modern phishing threats have evolved beyond traditional corporate email security boundaries, targeting personal accounts, social media, and various communication channels that employees use while shopping online during work hours.”

“Organizations need comprehensive protection that extends beyond corporate infrastructure to detect and block sophisticated phishing attempts across all digital channels while ensuring employees can safely participate in holiday shopping without compromising security,” he said.

Chris Hauk, the consumer privacy champion at Pixel Privacy, a publisher of consumer security and privacy guides, pointed out that brands are making efforts to foil scammers. “Brands are taking action to battle impersonators by verifying their official accounts on social media, having fake apps removed from app stores, and submitting takedown requests for lookalike websites and domains,” he told the E-Commerce Times.

“Brand impersonation is a persistent problem and is difficult to combat,” noted Paul Bischoff, a privacy advocate at Comparitech, a reviews, advice, and information website for consumer security products.

“If a company knows its brand is being used to scam people,” he told the E-Commerce Times, it should do what it can to raise awareness of the scam among its customers. The problem is more pervasive during the holiday season when people are looking to take advantage of shopping deals.”

Unfortunately, consumers aren’t the only shoppers for deals during the holiday season. “Similar to retailers, threat actors also use the holiday season to offer seasonal discounts for their offerings,” Darktrace’s Jones said. “Cybercriminal shops will offer deals on the dark web for compromised data, like usernames and passwords, often selling them in bulk pricing deals during the holiday season.”