Buyer Beware: New Malwarebytes Research Reveals Holiday Shopping Scams Involving PlayStation, Amazon, Walmart, and Temu
Fake websites, too-good-to-be-true deals, and a steady uptick in malvertising in advance of holiday shopping season
SANTA CLARA, Calif. – November 13, 2024 – Malwarebytes, a global leader in real-time cyber protection, released new research revealing a slew of holiday-themed scams aimed at consumers this holiday shopping season. The scams involve popular gift-gifting categories, including gaming systems and gift cards, shopping platforms such as Amazon, and shipping services like USPS. Researchers also revealed a 41% uptick in malvertising, or malicious advertising, leading into Black Friday and Cyber Monday.
The ease and convenience of online shopping has shifted attitudes over the past few years with consumers spending $1.243 trillion online in 2023. While web browsers are the doorway to internet activity and specifically shopping, buyers should be aware that it’s also a convenient platform for fraud. Over the last five years, the Internet Crime Complaint Center (IC3) says it’s received 3.79 million complaints for a wide range of internet scams which resulted in $37.4 billion in losses.
“Web-based attacks are the new frontier for hackers,” said Mark Beare, GM of the Consumer Business Unit, Malwarebytes. “For years, attackers needed to get on your desktop to access files or private information. Today, most consumers readily enter and store passwords, credit card numbers, home addresses, and a list of other personal information into browsers and websites. It’s become a playground for criminals looking to make big money. While many consumers think they’re not a target, I caution that it’s not about you—it’s about you at scale.”
“I find the range and quality of brands being spoofed most alarming,” said Jérôme Segura, Senior Director of Threat Intelligence, Malwarebytes. “Criminals are investing money and leveraging AI tools to create very believable fake websites, shopping cart checkout pages, and scams. I urge consumers to avoid any sponsored ad links, be wary of where they enter information, and use browser protection tools to help stop credit card skimming, a truly silent threat.”
Malvertising on the rise
Malvertising, or malicious advertising, has seen a steady uptick leading into the holiday shopping season. Most malvertising hides in sponsored ads, making it especially pernicious for those browsing on mobile devices.
Last fall, Malwarebytes tracked a 42% increase month-over-month in malvertising incidents in the US. This year, researchers saw a similar uptick, with a 41% increase from July to Sept.
No brand is safe, including Google. Threat researchers tracked malvertising campaigns that spoof Google, Walmart, Disney+, Lowe’s, Apple–and even Malwarebytes.
Most (77%) of advertiser accounts used in malvertising campaigns are used once only, created quickly and then burned. Once that account is dead, cybercriminals spin up the next one and so on.
The bulk of accounts being used maliciously are based in the US due to a combination of fake identities and hijacked accounts. However, advertisers originating in a few regions, Pakistan and Vietnam, account for 90% of the fraud.
How to avoid online scams this holiday season
When using the internet, regardless of your device, keep these tips in mind.
- Avoid clicking on sponsored ads: Conduct a direct search for your retailer of choice to avoid falling prey to prevalent malvertising tactics which have been known to spoof even huge, reputable brands such as Amazon.
- Consider a Password Manager and MFA: With every site requiring a password these days, leverage a password manager to protect your payment information and set up multi-factor authentication where available.
- Keep an eye on your financial statements: An uptick in online shopping deserves an uptick in your vigilance for checking online bank accounts, credit card statements, investment portfolios—any financial account data. Flag anything that seems suspicious for quick resolution. Also consider investing in an identity theft protection solution.
- Run an antivirus solution: Most antivirus products offer some kind of web protection that detects malicious domains and IP addresses, including Malwarebytes Premium which offers web and phishing protection.
- Use Malwarebytes Browser Guard: A free browser extension for Chrome, Edge, Firefox, and Safari that blocks scams, ads, trackers, and other types of malware. It stops users from going onto phishing sites, entering information into unsafe domains and downloading malware. It also blocks web trojans and credit card skimmers.
- Clean up your personal data online: Mitigate risk by cleaning up publicly available personally identifiable data and see what’s for sale on the dark web. Anyone can check what information is already available about you on the dark web with the Malwarebytes free Digital Footprint scan or take the first step in removing your personal information from the network of data brokers online with a Personal Data Remover scan.
- Remember: If it’s too good to be true then it probably is. Discounted items are tempting, especially at a time of year when lots of spending takes place, but these often amount to nothing. Instead, research the best deal at reputable retailers.
To read more about the latest threats and cyber protection strategies, visit the Malwarebytes blog, or follow us on Facebook, Instagram, LinkedIn, TikTok, and X.
SHARE THIS ARTICLE