Threat Research

Beware of Cybercriminals Preying on Online Shoppers on Black Friday

By Shunichi Imano and Fred Gutierrez | November 23, 2022

Affected Platforms: All OS
Impacted Parties: Online Shoppers
Impact: Loss of personally identifiable information and/or money
Severity Level: Low

As we approach the end of 2022, we reflect on a year filled with dramatic changes across the globe and a heightened threat environment, which raises questions about what is to come in 2023. However, for many, we are now also entering a season of hope. The upcoming holiday season provides a heartful and joyful sensation that is a welcome relief from our other cares. So, between now and the advent of our various celebrations, it’s time for a shopping spree—with shoppers expected to spend an average of $998 each.

Retailers also look forward to this time of the year. Many will earn about a third of their annual income over the next few weeks. And unfortunately, the same is true for cybercriminals. According to the FBI, cyber scams cost consumers hundreds of millions every holiday season. In this blog, we will look at two Black Friday-oriented cyber-attacks that are gaining traction, one using an old PDF file and another exploiting typosquatting.

What’s Old is New

While cybercriminals regularly come up with new ideas to find more victims, a PDF file that FortiGuard Labs recently came across proves that is not always the case.

As the file name indicates, “walmart_black_friday_11_14_20.pdf” was likely from 2020. However, it was submitted to VirusTotal in early November 2022.

The first page of the PDF only includes an “I’m not robot” [sic] CAPTCHA human authentication.

Figure 1. Decoy PDF

The second page is filled with crammed sentences. That format resembles a PDF file we called out in a blog, “Black Friday Cyber Threats Test Online Shoppers,” published last year. While the redirection in that attack did not work, redirection did occur in this recent PDF after “just clicking the checkbox.”

Figure 2. Contents of decoy PDF

Since the checkbox is on the first page, all it requires for redirection is for the recipient to click the checkbox. The message cannot be viewed until the user manually scrolls down through the document. The reason why a PDF from last year was re-used may be because file names hold little significance for careless users.

The user is first redirected to the website leonvi[.]ru , and then redirected again to a fake Amazon “loyalty program” site that claims the user was randomly chosen for a survey. The site also claims that the user will have a chance to win an iPhone 13 Pro after completing the survey. Interestingly, the message was dated November 18, the day this investigation was conducted. And redirection from leonvi[.]ru stopped while we were investigating this scam. Those two events seem to respond to user activity, proving that even an old PDF and redirection scheme can still work today. Although iPhone 13 Pro was released in October of 2021, and a new model is already out, it is still probably a good lure due to recent inflation and the cost of Apple products.

Figure 3. Fake Amazon survey site

The survey itself is trivial—it asks for gender, age, shopping frequency on Amazon, and how the user rates Amazon service.

Once all questions are answered, the user will have three attempts to draw an iPhone from 12 gift boxes.

Figure 4. Fake survey site

After an iPhone is successfully drawn, the user is instructed to pay 1 euro and provide their home address for shipping.

Figure 5. iPhone 13 Pro scam

In addition to the attack responding to user activity, the redirection also appears to be location aware. Access from Japan, for example, ended up at a live chat service, “Str**Chat,” instead of the fake Amazon survey.

Fortunately, these outcomes are relatively benign. This same attack could drop malware, load potentially unwanted applications, or launch a vulnerability exploit if the attacker chose to do so.

Typosquatting

Typosquatting is a type of cyberattack that leverages URLs mistyped by users.

For example, blackfriday[.]com is a legitimate Web site that users can use to view Black Friday ads from numerous popular shopping sites, such as Amazon, BestBuy, and Walmart. According to similarweb, blackfriday[.]com had 2.7 million visitors in October. The visitor count is expected to increase as Black Friday approaches. Apparently, this is too good of an opportunity for cybercriminals to pass up.

Figure 6. Legitimate blackfriday[.]com site

Visiting “blackftiday[.]com” redirects the visitor to what appears to be an online lottery site, which has nothing to do with Black Friday.

Figure 7. Redirected online lottery site

Another example that leverages the misspelling of blackfriday[.]com is nlackfriday[.]com. Visiting this site redirects the user to totalav[.]com, a Web site of security solution software in a likely attempt to generate legitimate affiliate traffic and credits.

Figure 8. Redirected TotalAV site

According to our database, nlackfriday[.]com was created in November of 2016, potentially indicating that the attacker behind the redirection has been taking advantage of Black Friday typosquatting for at least six years. Since the attacker can choose any redirection destination, some previous visitors may have been even more unlucky, accidentally generating affiliate traffic for the attacker or being targeted with malware.

Slickdeals (slickdeals[.]net) is another Web site similar to blackfriday[.]com. It collects ads and deals from a variety of online shopping sites. Our database shows slickdeals has been in business for 23 years. It also owns the subdomain “blackfriday[.]slickdeals[.]net” dedicated to Black Friday.

According to similarweb, slickdeals[.]com and blackfriday[.]slickdeals[.]com had 61.6 million and 148.8K visitors in October, respectively. That motivates attackers to take advantage of typosquatting on these domains.

At the time of our investigation, visiting blackfriday.slickdelas[.]net prompted visitors to install a Web browser, “Chromnius.”

Figure 9. Chromnius browser download screen

Online reviews of the Chromnius browser show mixed results. Some consider the browser a potentially unwanted program (PUA) due to its home page (startpage) and search engine hijacking. Although those hijacking behaviors were not observed during our investigation, we did notice something else. When we ran some searches by typing a search term in the Chromnius address bar, we appeared to be redirected a few times before the search was finally executed on Yahoo.

The redirections we observed were as follows:

  • First search: chromnius[.]com/results.php?...[search term]… ->
  • First redirection: zipsearch[.]xyz/apiv2/bosy/search?p=[search term] ->
  • Second redirection:
    search[.]onlinegamezone[.]club/chrome/newtab/search.aspx?q=[search term]&… ->
  • Legitimate search on Yahoo

Even more strange, zipsearch[.]xyz and search[.]onlinegamezone[.]club—two searches we made—were nowhere to be seen in Chromnius’ browsing history. However, we were able to find the URLs, as they were present in autocomplete.

While we do not know why the Chromnius developers designed the search function that way, it could be possible that Chromnius is paid for affiliate redirection.

Conclusion

Cyber Grinches actively try to take advantage of eager shoppers every year during the holiday season using new scams and techniques. However, attackers still regularly find new victims using older and more familiar methods.

Below are some Dos and Don’ts to stay safe from e-commerce scams. While these best practices should be used at any time, it is especially vital to remain vigilant during the online shopping season when it is easy to let down our guard.:

  • Do perform due diligence and scrutinize websites for inconsistencies, such as mismatched fonts, inconsistent use of colors, changes in language usage, different prices, descriptions in various text, etc.
  • Do check WHOIS records to see how long the domain has been in existence. Be especially cautious of newly created domains.
  • Do look for typos and grammar (as most corporations hire copy editors)
  • Do send an email to the company you think might be being impersonated before you make a purchase.
  • Don’t impulsively buy an item even if it is super cheap. Like the adage, if it’s too good to be true, it probably is.
  • Don’t panic. If you feel you have been the victim of a scam, call your credit card company immediately and inform them of potential fraud.

Fortinet Protection

The PDF “walmart_black_friday_11_14_20.pdf“ used for phishing is detected by AV signature “PDF/Phish.5E08!tr”.

FortiGuard Labs detects the Chromnius browser covered in this blog as “Riskware/Chromnius."

Webfiltering blocks the fake Amazon survey site and typosquatting sites referenced in this blog.

IOCs

  • b3f691d3a768715898bdee25835259585d3a8c708251ddf829ad011379af558f (almart_black_Friday_11_14_20.pdf)
  • 1811[.]mmpairtap[.]live (fake Amazon survey site)
  • blackftiday[.]com (typosquatting)
  • nlackfriday[.]com (typosquatting)
  • 961a53089f14c69061c3e156bf279550fb108f8023cc54e1086343eca6d3c437 (Chromnius browser installer)

For retailers who wish to protect their brands and customers, we recommend reading the recent Fortinet blog entitled: “‘Tis the Season for Cyberattacks. Retailers: Here’s How to Protect Your Brand” and also "Safe Online Shopping Best Practices." In addition, a Digital Risk Protection Service (DRPS) can provide proactive monitoring and risk analysis of a brands’ digital assets to give a view from the attacker’s prospective—helping security teams stop threats before they ever have a chance to turn into real attacks.

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Learn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda (TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans program. Learn more about FortiGuard Labs’ global threat intelligence and research and the FortiGuard Security Subscriptions and Services portfolio.