Warning: Online shopping threats to avoid this Black Friday and Cyber Monday 

It’s that time of year again. Thanksgiving will pass just as quickly as it arrived, and the festive season will soon hit full swing as countless people go online for some gift shopping. But where there’s a gift to be bought, there’s also a scammer out to make money.

And make money they do. In the last five years, the Internet Crime Complaint Center (IC3) said it has received 3.79 million complaints for a wide range of internet scams, resulting in $37.4 billion in losses. 

Today, we’re warning of several online threats that could target you over the next few weeks and months: brand impersonation and fakes, credit card skimming, and malvertising. 

1. Brand impersonation scams 

This Black Friday and beyond, you’re likely to see scammers ripping off big name brands. Here are a few fakes you should look out for. 

Temu ads offer discounted PS5s 

Scrolling through Facebook, we were presented with a couple of posts advertising discounted PS5s. 

Ads on Temu showing PS5

“Quit overspending on PS5! This one I got off TEMU is AWESOME and is much cheaper. I’d highly recommend picking this up!” 

Of course, it’s tempting to get a discount on high-value items like a PlayStation 5, but Temu doesn’t actually sell PS5s.

If you click the play button on the “video,” you are instead redirected to a Temu page selling various PlayStation accessories that are not official or in any way approved by Sony.  

Fake Amazon offers you great deals this Black Friday 

Amazon is relatively low cost, it’s convenient, and you can look at someone’s wish list on there. Except in this scam we caught online, the website isn’t really Amazon—check out the URL. 

Screenshot of a fake Amazon site showing goods to buy

Fake online stores like this use Amazon’s branding to sell counterfeit products. Even if you take the risk and buy a knock off product (which we think is a bad idea), you have no guarantee of receiving the merchandise, and definitely no buyer protection. 

Walmart makes it easy for you to buy gift cards 

Nothing says “I saw this and thought of you” like a Walmart gift card on Christmas day. But make sure you are buying from the right website.  

Again, in this example, check out the URL—this website might look Walmart, but it’s a fake that will happily take your money in exchange for nothing. 

Screenshot of a fake Walmart site advertising gift cards

“USPS” now delivers you fraud 

If you’re taking advantage of Black Friday sales and buying many things at once, it can be tricky to keep track of what you’ve ordered. Even if you do know what’s coming, you often don’t know which package service will deliver it to your door. Scammers take advantage of this and will send fake delivery notice emails that encourage you to click on them. 

With this fake USPS site, you are asked to pay a small fee to have your delivery processed. However, once you hand over your card details the scammers can take whatever amount they like and sell your details to other criminals. 

Screenshot of fake USPS site

These scams are very common. In fact, when we looked, we saw 50 fake USPS sites set up in only a day: 

Diagram showing many fake USPS domains

2. Credit card skimmers 

We’re seeing a lot of online stores hosting credit card skimmers, especially smaller retailers.  

A credit card skimmer is a piece of malware that is injected into a website, often through vulnerabilities in the content management system (CMS) or the plugins that the site owner uses. 

When visiting a site that has a card skimmer on it, you’ll likely have no idea it’s even there. However, a single script injection is enough to steal your credit card data. 

Screenshot of code being inserted into a website

Last year, we saw a large uptick in card skimmers just before the holiday season. One particular campaign that we tracked peaked in April 2023, but then really slowed down during the summer months. Across months, cybercriminals had infected multiple websites and built custom templates to trick victims into handing over their credit card details. By October, the same campaign had increased to its highest volume yet, and it is highly likely that this year will be the same. 

When looking at compromised websites, it can be hard to tell what—if anything—is wrong. However, if a site looks like it hasn’t been maintained in a while (for example, it displays outdated information, such as ‘Copyright 2022′) you should avoid entering in your card details. Most compromises happen because a website’s CMS and its plugins are outdated and vulnerable. 

Our free browser extension Malwarebytes Browser Guard blocks credit card skimmers by default. If you visit a compromised store you’ll be shown a warning like this: 

Access to the store isn’t blocked, we just block the skimmer code so it can’t load. And while you could in theory still shop safely, we’d still advise you to avoid buying anything from there. 

3. Malvertising increases in line with gift shopping 

Malvertising—or malicious advertising—is a favorite of scammers, who use online ads and sponsored search results to deliver malware to their unsuspecting victims.  

Malvertising doesn’t require that criminals know a victim’s email address, login credentials, or personal information to deliver them malware. All the scammers need to do is fool someone into clicking on an ad that looks legitimate.  

Last fall, Malwarebytes tracked a 42% increase month-over-month in malvertising incidents in the US. This year we’re seeing a similar uptick, with a 41% increase from July to September as we head into the holiday shopping season. 

In terms of the actual advertiser accounts that are used in malvertising campaigns, most are based in the US and are set up using a combination of fake identities or hijacked accounts. However, according to our research findings, ads originating in Pakistan and Vietnam account for 90% of the fraud. 

Pie chart showing the countries of origin of attacks

Most (77%) of the accounts are used once only—created quickly and then burned. Once that account is dead, cybercriminals spin up the next one and on it goes.  

No brand is safe from malvertisers. We’ve tracked campaigns that spoof Google, Amazon, eBay, Walmart, Lowe’s—and even Malwarebytes.  

Our advice: It’s not always easy to tell a real ad from a scam, so it’s best to avoid clicking on sponsored ads at all. Use genuine search results or navigate directly to the site yourself. 

How to shop safely this holiday season  

  • Remember: If it’s too good to be true then it probably is. Discounted items are tempting—especially at a time of year when lots of spending takes place—but these offers often amount to nothing. Instead, research the best deal at reputable retailers. 
  • Don’t get rushed into making decisions. Scammers will use a sense of urgency to pressure you into performing quick actions before you can properly think things through. Take your time before doing anything like clicking links or entering card details. 
  • Get an ad and malicious content blocker like Malwarebytes Browser Guard. If you’re blocking ads then you can’t be tricked into clicking on them. Browser Guard (which is free!) also protects against credit card skimming and other online threats. 
  • Keep an eye on your financial statements: An uptick in online shopping deserves an uptick in vigilance with checking online bank accounts, credit card statements, investment portfolios—in fact, any financial account data. Flag anything that seems suspicious with your provider. 
  • Protect your online accounts. Use a different password for every account (a password manager is super helpful in generating and storing all your passwords), and set up multi-factor authentication (MFA) wherever you can.  
  • Protect your devices: Most security products offer some kind of web protection that detects malicious domains and IP addresses, including Malwarebytes Premium which offers web and phishing protection. 
  • Clean up your personal data online: Cybercriminals use publicly available information in their scams, so check what information is available about you online using our free Digital Footprint scan. You can also take the first step in removing your personal information from the network of data brokers online with our Personal Data Remover

Thanks to Jerome Segura for his research on this piece.

ABOUT THE AUTHOR

Anna Brading

Anna Brading is Editor in Chief at Malwarebytes Labs which means she writes, talks and lives all things cybersecurity. She’s interested in social media, privacy and helping people stay safe online.