Bah Humbug and Other Consequences of Holiday Cyber Scams

The holiday shopping season has begun and is in full swing. And that means that the holiday scam and cyber attack season has begun as well. Here at DNSFilter, we’re trying to get the word out about some of the threats lurking about in cyberspace on as many different fronts as we can. 

Earlier this month, our CEO, Ken Carnesi, was featured in an article in the Wall Street Journal about the false sense of security some get from Private or Incognito Mode in web browsers (here’s the link on LinkedIn). Our blog featured an article discussing the Risks and Dangers of Using Open Wi-Fi Networks. We released a video about the common online scam risks of the holiday season. And most recently, our Sr. Director of Labs, Rebecca Gazda, hosted a webinar with the CEO of BforeAI, Luigi Lenguito where they discussed The Seasonality of Threats.

In that spirit, let’s discuss some of the most common threats that are common during the holiday season, how some of them work, and what you can do to help better protect yourself.

Common Types of Scams

Phishing Emails and Their Multimedia Cousins

Phishing emails are the most common type of attack during times like these. For the sake of clarity, the definition of phishing is a non-targeted email attempting to convince the recipient to click a link or take some other action that can allow an attacker to steal information. 

Common variants of phishing include:

Spear phishing– a phishing email that is targeted at an individual or group

Smishing– a technique that leverages SMS messaging rather than email

Vishing– uses a phone call or a voicemail to lure the victim

There are now even attacks that use QR codes (Suishing) rather than simple weblinks to mask some of the details. Or, sometimes it’s just a QR code by itself with the intention that human curiosity is enough to entice someone into scanning it blindly (HINT: don’t ever scan a QR code unless you know what it’s for and are confident you can trust that it is safe beforehand). 

Since we’re talking about related communications, we’ll briefly touch on direct phone calls as well. Many scammers still call potential victims directly (which almost certainly contributes to modern shifts in phone etiquette), and should be handled similarly as any of these scams. The best solution if you end up on the phone with a potential scammer is to find out who they are purporting to represent, get off the phone with them, find out an alternative number to contact their customer service department, and call them back via a route not provided or encouraged by the initial caller (if you still feel that’s even necessary).

Brand Impersonation Scams

Brand impersonation scams are looking to leverage the trust that individuals have in an established brand, especially those like you who are knowledgeable and wary about getting scammed. These kinds of scams use very official looking logos for nationally or internationally-recognized brands (often a downloaded image of their actual logo). They go out of their way to use the official color scheme that the company does and they follow the company’s style guidelines. Brand impersonation scams are often used in phishing schemes (as mentioned above) or sometimes in domain impersonations as well, building out very convincing copies of entire websites in order to trick a victim into believing they are the official site for the company–including registering very similar look-alike domain names and buying sponsored ads and search engine manipulation to foster trust.

Package Delivery and Sweepstakes Scams

These will be specifically tailored messages to convince you that you have a package that couldn’t be delivered or that you’ve won something important. They will ask you to click a link and enter some personal information—typically bank account information—to ensure they are “dealing with a real human”. This can be extremely effective against people during the holidays because of the increases in online shopping and delivery of presents. However, none of the major delivery companies typically operate this way. They can leave a note on your door if they were unable to deliver a package for most reasons. They will also generally have fairly reasonable holding times for packages that will not require emergency contact by email or text. 

In the case of scams using companies such as Amazon, threat actors can be looking for you to enter your credentials for the actual website. They know that many people have significant amounts of information stored in their Amazon accounts and that they can gain access to credentials like your credit cards. If there’s any doubt at all, there should be a location close enough for you to go in person and pick up a package if it can’t be delivered for some reason.

The allure of money can be hard to resist, especially when it involves a life-changing amount of it. But in almost all cases, you probably should unless you specifically registered for such a sweepstakes. Those sweepstakes contact you in non-emergency conditions to let you know that you “have a chance to win,” which also translates to not generally being worth the risk of responding and getting drawn into a scam. The bottom line is, if you aren’t expecting to be contacted for a sweepstakes then don’t trust it, and definitely don’t respond to them, don’t provide them with any information, and do not send them any money.

Social Media Scams and Impersonations

Many people nowadays live a significant portion of their lives through social media. That means that there are significant opportunities for collecting personal information, contact lists for new potential victims, and time-related opportunities like knowing when you’re going to be on vacation and where. With such high volumes of sharing going on, and most of the connections being related to real-life associates, trust is also very high, and the perceived value of the information is very low, when in reality malicious parties can sell or leverage that harvested data in a great number of financially beneficial ways.

Be very careful about requests for “new” accounts from people that you already have a link to, even if they are very convincing, including personal information, friends’ lists, and pictures. Attackers can clone all of the things from any public-facing account and continue to blossom across a social cluster, making it very difficult to discern which is real and which is not. If there is a question, reach out through external channels to verify with someone what is going on before you interact with an odd social media request, and if you’re in doubt then the harm from not responding at all should be minimal.

Malicious Download Sites

This is a slightly different kind of attack where the attackers compromise or impersonate some desirable resource and you end up in their network downloading something harmful. This can be something related to in-game purchases, the new cool app, redirected web traffic, or even programming libraries. Malevolent parties are lying in wait for you to come to them and download something and install it with the belief that it is something else. There’s not much to do for this other than to just be vigilant and watch closely for impersonations. Although even in the best of cases, sometimes even the legitimate sites result in these sorts of compromises, there are large numbers of security researchers watching for these kinds of problems, and if you wait for the initial furor to subside somewhat, they will often identify risky downloads within a reasonable amount of time.

Common Indications of a Scam

One of the major keys to the success of a scam is urgency. That urgency can be threatening (“if you don’t respond by a certain time then you will be arrested”), opportunistic (“reply within a certain time window to receive unbelievable deals”), or covetous (“click on this link and you can get this thing that you want”). The urgency is a technique intended to disrupt the victim’s reasoning so that even if they have suspicions about the communication being a scam, they will participate anyway.

Another required component of a scam is a communication medium under the attacker’s control. In many scams, this will be a weblink. Other times it will be a QR code, or in others it can be a phone number to call or an email to contact. In almost all scenarios, the best thing to do with any kind of unsolicited weblink or QR code is to simply not use it. However, sometimes you may not have a choice for a number of reasons. If you do have a reason to follow an unsolicited link, many weblinks have a small safety factor in that they can be hovered over and they will reveal the actual URL to be resolved. If it looks suspicious for any reason then don’t follow it if you have a choice.

Finally, sometimes just the nature of what you’re dealing with should be a huge red flag. Be very careful of any link that uses URL shorteners. Not all shortened links are dangerous, but it is a great way for attackers to hide obviously harmful links, and they are used often by bad guys for that reason. Also, if you’re being asked to pay in non-traditional systems, such as gift cards, pre-paid debit cards, cryptocurrency, or wire transfers, then the transaction is almost certainly illegitimate. Those kinds of funds transfers are preferred by scammers specifically because they do not carry the consumer protections of the traditional payment methods. In fact, most government agencies aren’t authorized or capable of accepting payment via such mechanisms, even in an emergency situation, so it is almost guaranteed to be a scam.

What to Do if You Think You Are Being Scammed

It can be very tempting to mess with a potential scammer if you are fairly confident that you are being targeted. While it may be rewarding in that it wastes the scammer’s time, and subsequently reduces their success rate and may potentially prevent an attack or two against others, this is not recommended. There is always the potential that you could make a mistake that the scammer could capitalize on, even if you don’t realize it.

The critical first step, as we already mentioned, is to not click links or scan QR codes from unsolicited sources. Sometimes you don’t have that luxury, however, or the urgency component is very compelling. If you do feel like you have to engage with an unsolicited communication, take steps to take that control away from a potential scammer. Copy any URLs or domains and change their appearance to a different font. Pick one that has the opposite serif option and one that uses different kerning, like moving to a fixed-width font.

If you aren’t sure whether a message is from a scammer or not, or you still feel compelled to answer them just to be safe, do a search for the company’s actual customer support number or email via your favorite search engine and contact them that way. Most reputable companies will have that information available, and if they are trying to reach you, particularly if it’s urgent, then there will also be a record of that in their customer service system. You can also search a particular domain, phone number, or other unique information and see if any links come up identifying it as a scam. If you are particularly technically capable, you can search through open-source intelligence communities such as VirusTotal, URLscan.io, or AlienVault OTX and see if they can tell you anything.

But even if you do click a link, scan a QR code, or answer a malicious text, it’s not always too late. You can’t erase any information you’ve already sent them (so do your best not to share any data before you’ve verified the source), but if it is the kind of attack that connects your computer directly to your attacker’s, then it can be effective to just disconnect from whatever network you are attached to. These types of sessions often won’t be able to reconnect once the connection has been broken. There are things that can survive a broken session, but if you stop the session fast enough then you may keep them from getting installed. It’s generally better to disconnect from the network, even gracelessly, than to reboot because some attacks don’t take effect until the computer restarts, the browser is reopened, or the user logs on again. But if it’s urgent, it’s better to shut down and restart than to do nothing at all. If you know how, it’s good to monitor your running processes (or applications) and run a good antivirus check. It’s not a bulletproof solution, but it should cover most of the threats of an average scam.

Ultimately, the most important advice is to be smart, be careful, be vigilant, and SLOW DOWN. Wait 30 minutes to an hour before you respond to anything that seems like a scam, and allow your brain to reason through the problem a little bit. These attacks are designed to make you respond without thinking while your adrenaline is pumping. Taking a few minutes to step back and let that initial panic pass isn’t going to make much of a difference to the urgency, even if it claims to be something immediate like in the next 24 hours. But it will make all the difference in being able to find the flaws and see the manipulation techniques that can lead you to see through the ruse.

And for added protection that helps avoid being scammed altogether, try DNSFilter on your network free for 14 days.