2023 Press Releases

November 20, 2023

Check Point Research: Cyber Schemes in November Shopping, Exploiting Luxury Brands

As the holiday season kicks into gear, the online shopping landscape becomes a bustling hub of activity. However, amid the excitement of finding the perfect deals, there's a lurking danger that shoppers need to be aware of—cybercrimes targeting unsuspecting victims.

In this article, we delve into the alarming tactics uncovered by Check Point Research (CPR), where luxury brands are exploited as bait to lead users into clicking on malicious links. Join us on a journey through the virtual marketplace as we unravel the schemes and offer essential insights to help you shop securely in November and beyond.

A Luxurious Click That Might Cost Even More Than You Realise
As the November shopping frenzy approaches, Check Point Research has unearthed a concerning email pattern employed by hackers. This deceptive tactic involves the spoofing of renowned brands, such as Louis Vuitton, Rolex, and Ray-Ban. The hackers craft enticing emails promising steep discounts on these luxury products, with the email addresses cleverly manipulated to mimic the authenticity of the brands. Despite the appearance of legitimacy, a closer look reveals that the email origins have no connection to the actual luxury companies.

Upon clicking the tempting links within these emails, unsuspecting victims are led to websites meticulously designed to replicate the official sites of the targeted brands. These fraudulent sites then peddle luxury goods at unbelievably discounted prices, creating an alluring trap for potential shoppers. However, the real danger lies in the malicious intent behind these sites, as they prompt users to input their account details. This sensitive information becomes vulnerable to theft by attackers, highlighting the urgent need for heightened awareness and caution as we navigate the enticing realm of November shopping.

Here are some actual examples of the fraudulent websites of top brands this November:

Figure 1: Screenshot of fake Rolex website, with slashed prices starting at $250

Figure 2: Screenshot of fake Louis Vuitton website, selling bags at up to 90% off

Delivery And Shipping Sectors
Check Point Researchers have noticed how cybercriminals are using the delivery and shipping sectors during this traditional shopping period. In October 2023, their findings revealed a staggering 13% increase in the number of malicious files associated with orders and delivery/shipping compared to October 2022. The escalating threat in these sectors underscores the evolving tactics of cyber adversaries, urging heightened vigilance and proactive cybersecurity measures.

As mentioned in October 2023’s most wanted malware, CPR found a campaign of AgentTesla with Archive files delivered as attachments to emails using subjects related to orders and shipments, such as – po-######.gz / shipping documents.gz, luring the victim to download the malicious file. 

Below is another example of a campaign of emails impersonating delivery company DHL.

The emails were sent from a webmail address “DHL Express (support@dhl.com)” and spoofed to appear as if they had been sent from “DHL” (see figure 1) and contained the subject “DHL Delivery Invoice #############”. The content asked to download a malicious executable file “Invoice #############”.pdf.exe”, that would drop other malicious files using powershell. 

Figure 3: Spoofed DHL delivery email with file 

Phishing Websites
CPR also found examples of phishing websites, which have similar registered information and look similar to each other – offering well-known shoe brands at ridiculous prices. 

Figure 4: Fake website - www[.]reebokblackfridayoffers[.]com

Figure 5: Fake website - www[.]oncloudblackfridaysale[.]com

Figure 6: Fake website - www[.]hokablackfridaysale[.]com

Figure 7: Fake website - www[.]salomonblackfridaysales[.]com

Cybercriminals have invested significant effort in crafting deceptive websites that closely mimic authentic platforms, with major companies like the above examples being frequent targets of such spoofing. This strategy aims to trick end-users into willingly providing their credentials. URL phishing serves as a pretext for executing credential harvesting attacks, and when executed effectively, it can result in the theft of usernames, passwords, credit card details, and other sensitive personal information. Particularly, successful instances often prompt users to log in to their email or bank accounts. 

How To Identify URL Phishing
URL phishing attacks use trickery to convince the target that they are legitimate. Some of the ways to detect a URL phishing attack is to:

  • Ignore Display Names: Phishing emails can be configured to show anything in the display name. Instead of looking at the display name, check the sender’s email address to verify that it comes from a trusted source.

  • Verify the Domain: Phishers will commonly use domains with minor misspellings or that seem plausible. For example, company.com may be replaced with cormpany.com or an email may be from company-service.com. Look for these misspellings, they are a good indicator.

  • Check the Links: URL phishing attacks are designed to trick recipients into clicking on a malicious link. Hover over the links within an email and see if they actually go where they claim. Enter suspicious links into a phishing verification tool like phishtank.com, which will tell you if they are known phishing links. If possible, don’t click on a link at all; visit the company’s site directly and navigate to the indicated page.