Category: Adversary Intelligence	Industry: Global	Motivation: Financial

THREAT	IMPACT	MITIGATION
Threat actors are hosting websites for malicious campaigns centered around the “Black Friday” theme. E-commerce, cryptocurrency, and travel prime targets.	Compromised PII and banking credentials can be used to perform unauthorized transactions and social engineering attacks. Deliver malware, ransomware, and stealers.	Avoid clicking on suspicious links. Install and update antivirus. Use strong passwords. Enable MFA across logins. Check for anomalies in the accounts and transactions.

Executive Summary

Researchers at CloudSEK observed a series of threats and potentially malicious campaigns ahead of Black Friday 2022. CloudSEK’s contextual AI digital risk platform XVigil discovered hundreds of Black Friday themed domains registered and operational. Common forms of attacks included the impersonation of legitimate websites, services for Google/Facebook ads, and the spread of malicious applications.

Also Read Phishing Campaign Abusing Reverse Tunnel Service Provider, Portmap.io

Black Friday Themed Cyber Threats

Impersonation of Legitimate Websites

Website cloning is a common technique used by hackers of all levels of sophistication to host fake instances of legitimate websites. This is done to harvest personally identifiable information (PII), credentials, and banking details. This data is then sold on dark web forums or or leveraged it to launch social engineering attacks. For example, the website shown below is a fake domain that impersonates “Shoe The Bear''. It was hosted on fzmvih[.]top, and is advertising their Black Friday sale. [caption id="attachment_21815" align="alignnone" width="1280"] Cloned website impersonating https[:]//shoethebear[.]com/pages/about \ Black Friday 2022 Cyber Threats[/caption]

Spread Malicious Applications

Malicious applications use themes such as ‘Black Friday’ to increase downloads and drive traffic. For example, the Black Friday application shown below (suspected to be malicious), has been around since 2015, and is available on a third-part app store. (see Appendix) CloudSEK’s BeVigil mobile app security scanner has identified that the app requests for several high-risk permissions such as ‘Camera’, ‘Fine location’, and ‘Coarse location’. It is also detected as AppRisk:Generisk by antivirus programs, which means it can perform unwanted actions on the device it infects. [caption id="attachment_21816" align="alignnone" width="733"] Android application targeting Black Friday[/caption] [caption id="attachment_21817" align="alignnone" width="576"] Figure- BeVigil identified risky app permissions requested by the application.[/caption]

Observations from Cyber Crime Forums

Cybercrime forums across various languages are rife with chatter about Black Friday. While some actors are promoting their malicious services/ campaigns, others are looking to avail them. For example, the post below shows a threat actor looking for Google and Facebook ad services, probably to promote their fake Black Friday themed shop. [caption id="attachment_21818" align="alignnone" width="862"] Threat actor seeking ad services on Google and Facebook[/caption] Furthermore, threat actors also provide Black Friday discounts for their services and products. One such instance was HostSlick[.]com, which is reviewed, used, and rated by various threat actors on the forum.

Cryptocurrency Scams

CloudSEK researchers discovered an Ethereum giveaway scam website. Fraudsters tend to lure victims into transferring Ethereum, promising to double any cryptocurrency investment made with the site.

• The scammers leverage the occasion of Black Friday to host such schemes where participants should transfer some ETH to qualify.
• The ETH address shared by the fraudsters has 340 transactions on the Ethereum blockchain. It has received ~990 ETH (USD 1,149,078). And, the current value of this address is ~124.79 ETH (USD 144,728).
• A scam report has been generated for this ETH address indicating that the fraudsters leverage every significant event to mint money. (See Appendix)

[caption id="attachment_21819" align="alignnone" width="1070"] Crypto scam website - https[:]//www[.]eth-blackfriday[.]com[/caption] 

Also Read Private Drainer for MetaMask Crypto Wallets

Open Web results

Various victims and researchers are actively using social media to spread awareness about such ongoing scams across the globe. [caption id="attachment_21820" align="alignnone" width="597"] A tweet claiming to provide 5000 free return tickets to Europe[/caption] The post summarizes how WhatsApp is circulating messages that say “Black Friday Contest 2022” claiming to provide 5,000 free tickets. Various posts suspect it to be malware. Soon after it was reported on social media, the link was taken down.

References

• *Intelligence source and information reliability - Wikipedia
• ^#Traffic Light Protocol - Wikipedia

Appendix

[caption id="attachment_21821" align="alignnone" width="1042"] Figure- Fraudsters giving out their Ethereum address to ETH transfer[/caption] [caption id="attachment_21822" align="alignnone" width="900"] Scam report associated with the ETH address indicating it to be a cryptocurrency scam around Black Friday[/caption]