The holidays are a time for family, friendship, giving and compassion. They are also a time for cyber criminals to scam people into downloading malware, giving up personal information and even doing non-stop surveys. This blog post will go over a few tricks that you might want to keep an eye out for during this holiday season and be sure to spread the word to your friends and family; knowing how to keep themselves safe is the best present you could possibly give. After all, ’It’s The Most Dangerous Time of the Year!’
Free Gift Card Spam
I will start with the least threatening but most alluring scam you might run into which I call “Free Gift Card” scams. You might see this kind of spam on your social networking websites like Facebook or Google+ and it informs the reader about a great offer going on where you could get hundreds of dollars’ worth of gift cards for free!
As appealing as it seems to get a ‘free’ gift card for a store like Target, especially during the holidays, the smart thing to do is avoid clicking on offers like these since they are almost always fake. If you were to click on it, however, you would be assaulted by an array of surveys, special offers and opportunities to give out your personal information.
The eventual conclusion to this type of scam would leave you tired from filling out surveys, more than likely out of some cash due to having to pay for other offers to get your gift card, constantly being called and pestered by telemarketers and probably wondering if you would ever actually receive that gift card you were promised. To find out more about this type of scam, check out this article on Snopes.
E-Card Malware
The next things to watch out for are e-card notification e-mails, especially during the holidays. We all have family who enjoy sending e-cards to us for any occasion any time of the year. In addition, that friendly reminder e-mail that we have a card waiting for us is always useful when the pressures of our busy lives make us forget all about the messages from our loved ones. Cyber-criminals also do not want us to forget about these cards and have a habit for sending out fake e-card reminder e-mails using spoofed e-mail addresses that bring along charming links to exploit sites or even have malware attached to the e-mails themselves.
Keep an eye out for these types of attacks and hopefully your spam filter catches them before they get to you. To be doubly sure though, it might be a good idea to tell Grandma to send you a card the old fashion way this year. To find out more information about e-card attacks, check out a Webroot blog post by Dancho Danchev and/or a great article about e-card scams posted by Scambusters.org.
You can even check out the FAQ on how to identify malicious e-mails from the services being spoofed themselves, here are some helpful links from Canva, egreetings.com and 123greetings.com.
UPS Malware Scams
The last big scam I will talk about in detail is the UPS or Mail Delivery Scam. This type of attack relies on the notion that people send stuff via UPS or FedEx all the time and provide their e-mail addresses to get tracking information, delivery notifications, etc. The attackers will create a very convincing e-mail that spoofs a delivery service e-mail (like UPS), copy the formatting of their e-mails and use just enough generic text to sound like it applies to you. In the e-mail, you might see a notice informing you that your delivery did not make it and that you need to click on a link to resolve the issue.
Another example, obtained from our friends at GFI Labs, shows a holiday spin on this same e-mail, informing the user that they have in fact received a package. What better a way to start the holidays than with gift announcements via e-mail!
Image obtained from: http://www.gfi.com/blog/festive-ups-delivery-notice-serves-up-fake-av
Unfortunately, both of these examples are fake and both of them are very malicious. The link in the first e-mail actually leads to an exploit page that employs the use of the “Blackhole Exploit Kit” to infect your system with the Zeus Trojan! The second example requires even less effort because the “Attached Postal Receipt” is actually just a Fake Antivirus in disguise, infecting you with invisible malware and demanding you pay real money to get rid of them! As soon as the user opens the file to print out the receipt, they are infected!
When dealing with this type of attack, it is best to remember that no service will ever send you anything other than a very long and hard to remember code to use on their website to track your packages, unless you have told them otherwise. So think hard about if you have even sent a package and then look deeper into whether or not an e-mail claiming to be from UPS has any merit.
Holiday Safety Rules
While I have gone over three very dangerous and very widespread types of attacks you might see during the holidays, there are plenty of others I didn’t go over. Things like:
- Charity Phishing
- Malicious Holiday Screensavers
- Fake Credit Card Applications
- Holiday Themed Malvertisements
- How to safeguard your wireless connection so Elves can’t steal your bandwidth
To keep yourself safe from (most of) these threats, try following these rules during this Holiday Season to keep you and your family safe:
- Don’t click on any advertisement for a deal ‘Too Good to Be True’
- Don’t trust any holiday themed chain letter, greeting card or wish list
- Only shop on secure (HTTPS) and legitimate online shopping sites, like Amazon.com
- If you get any communication claiming to be from an airline, delivery service, travel agency, etc. Make sure you are expecting it.
- Keep all your software (Operating Systems/ Browsers/ Plug-Ins/Extensions/Java/Flash/Adobe Reader/etc.) up-to-date with the latest updates, checking for new ones as often as possible.
- Make sure you are running an antivirus and anti-malware solution with up-to-date definitions as well as an advertisement-blocking program to avoid malicious advertisements.
Conclusion
Well I hope I didn’t scare you too much with my tales of ‘Holiday Horror’ but rest assured that as long as you are diligent, observant and prudent when it comes to online safety, you will be just fine.
From all of us here at Malwarebytes to all of you..
HAPPY HOLIDAYS!
References:
- http://www.snopes.com/inboxer/nothing/target.asp
- http://threatpost.com/en_us/blogs/how-tips-shopping-online-112012
- http://www.gfi.com/blog/festive-ups-delivery-notice-serves-up-fake-av/
- http://www.infosecisland.com/blogview/18560-CERT-Warns-of-Holiday-Phishing-and-Malware-Campaigns.html
- http://blog.webroot.com/2012/08/21/cybercriminals-spamvertise-bogus-greeting-cards-serve-exploits-and-malware/
- http://www.scambusters.org/ecardscams.html
- http://help.123greetings.com/How-to-differentiate-between-legitimate-ecard-email-and-a-fraudulent-email_166.html
- http://www.egreetings.com/email-protection
Adam Kujawa is a computer scientist with over eight years’ experience in reverse engineering and malware analysis. He has worked at a number of United States federal and defense agencies, helping these organizations reverse engineer malware and develop defense and mitigation techniques. Adam has also previously taught malware analysis and reverse engineering to personnel in both the government and private sectors. He is currently the Malware Intelligence Lead for the Malwarebytes Corporation. Follow him on Twitter @Kujman5000