While bracing ourselves for these and other year-end online shopping offers, watch out for the scammers, breaches and phishing campaigns.

More e-commerce records are expected to be set in the run-up to Black Friday and Cyber Monday at the end of November.

However, it is not just stores and buyers who are getting ready for an online spree: threat actors are also organizing their campaigns to try and grab their share of holiday spending, too.

Check Point Research has reported a spike in hacker activity over the past six weeks, with a surge in malicious phishing campaigns targeting online shoppers in the form of ‘special offers’.

In the four weeks from 8 Oct–9 Nov, the number of weekly fake offers related to phishing campaigns had doubled globally, rising to 243 in the beginning of November, compared to 121 at the start of October.

  • The first half of November showed an 80% increase in phishing campaigns relating to sales & shopping special offers, with emails including phrases such as ‘special’, ‘offer’, ‘sale’, ‘cheap’, ‘% off’.
  • One  out of every 826 emails was a phishing email related to November shopping days, compared to less than 1 in 11,000 phishing emails at the start of October.
  • In just two days (9th and 10th November), the amount of weekly ‘special offer’ phishing campaigns was already higher than during the whole of the first week of October.

A real-life phishing email sample

Here is an actual example of an email phishing campaign to imitate the jewelry company, Pandora.

  • Email subject: “Cyber Monday | Only 24 Hours Left!”
  • Sender: Pandora Jewellery (no-reply\@amazon\.com)

The sender field contains an Amazon domain, but there is no mention of Amazon in the mail or in the links belonging to it. Further investigation verified the email address was spoofed to appear as if it was sent from an Amazon email address. Two of the links in the mail were related to a site that tries to trick recipients into thinking the email is from the jewelry company Pandora. The misspelling of ‘jewelry’ is a strong clue that the email is fake. (Editor’s note: Some countries do use this British version of the word.)

The links in the emails led to the website www[.]wellpand[.]com. After a few days, the links led to a similar website www[.]wpdsale[.]com.

These websites were registered at the end of October and beginning of November, right before the phishing emails were actually sent, giving researchers a strong indication that it is a scam. Further investigation showed that both of the websites the emails led to were an imitation of the Pandora jewelry website. Check Point has confirmed that some victims of this attack reside in the USA, UK and Bulgaria.

A phishing email impersonating “Pandora” Outlet Store

Readers are advised to practice the usual cyber hygiene at all times, regardless of the e-commerce seasonal promotions.