Holiday phishing season: Your guide to staying scam-safe

Marcus White | 24th Nov 2022

For many of us, the Thanksgiving and Christmas period is a chance for some well-deserved downtime. For cybercriminals, not so much. The holiday season is one of the most productive time of the year for the Phishing-as-a-Service (PhaaS) industry.

Online retail sales spike around holidays, creating more opportunities to catch people out with phishing emails and spoofed websites. Tempting deals and time-sensitive bargains serve as the perfect lures, which is why the FBI, CISA and UK law enforcement all warn of increased cybercrime around holiday periods.

Last year, published by Egress in partnership with Orpheus Threat Intelligence showed a 397.5% increase in phishing kits alone from September to November 2021. We also saw scams related to shipping and delivery double over the same period. Unfortunately, there's every reason to expect the same this year.

In this guide, we’ll run you through:

  • What phishing kits are and how they work
  • Data on phishing kits and typosquatting domains
  • Real-life examples of Black Friday phishing kits for sale
  • How the online cybercrime marketplace works
  • Tips on staying safe this holiday season

What’s a phishing kit?

One reason behind the general spike in cybercrime is the fact it’s become so easy to get started. The crime-as-a-service marketplace has allowed criminal gangs to diversify, specialize, and sell their knowledge and software to anyone in the world. This has greatly lowered the technical and monetary barriers of entry to cybercrime. One highly popular product is a ‘phishing kit.’

Phishing kits usually contain email templates as well as the back-end code for spoofed websites designed to harvest login details or download malware. They can closely resemble real brands’ sites and look seriously convincing. Once you’ve completed the desired action (such as submitting credentials or payment details), most will also refresh and put you onto the real site, which makes it even harder to realize you’ve been scammed.

We’re seeing features aimed at making it even easier for lower-skilled cybercriminals to carry out phishing attacks. Just like a legitimate online marketplace, phishing kit sellers will have trust scores and reviews rating the success of their products. To further lower the barrier of entry, they’re advertising on the clear web in addition to dark web forums, even offering subscription models like a SaaS (software-as-a-service) vendor would.

Black Friday bargain? Check twice!

Our research showed a major increase in phishing kit activity between September and November 2021, specifically targeting retail and e-commerce platforms such as Amazon in the run up to Black Friday. There was a 397.5% increase in domains associated with phishing kits from September to November – and this trend has continued over the 2022 Thanksgiving and Christmas period.

Our findings also showed that Amazon is being targeted in a big way.

As the e-commerce platform of choice for many people, it’s a prime target. Between October and November, we saw a 55% increase in kits targeting Amazon as cybercriminals got their phishing infrastructure in place to catch unsuspecting online shoppers ahead of Black Friday.

In addition, we saw 6,643 active typosquatting domains being set up to target holiday shoppers. Typosquatting is where criminals target internet users who enter URLs incorrectly, for example ‘www.amazan.com.’ Out of all the typosquatting domains we found, Amazon was the most targeted with 3,850 active domains set up for phishing three times as many as those detected for than the popular online auction site eBay and over four times as many as for retail giant Walmart.   

The online scam supermarket

Cybercriminals begin posting on dark web (and some clear web) sites in the run-up to Black Friday. The sellers will usually offer digital goods such as email validation tools or credential lists. Just like legitimate businesses, they’ll post black Friday deals to entice other cybercriminals to purchase their products.

One Russian-speaking forum user (figure 1 below) was using Black Friday to promote the sale of stolen accounts for a variety of fintech companies and cryptocurrency exchanges. This would help the buyer to avoid Know Your Customer (KYC) and anti-money laundering (AML) processes. Although unconfirmed for this seller, these accounts were likely obtained via social engineering techniques like phishing or via breached credentials of third-party services.

Figure 1: Black Friday sale for stolen accounts

We were also able to find a post on a dark web forum (figure 2 below) that showed a user applying a Black Friday discount to a custom inbox validation tool. The tool is likely used by cybercriminals to anonymously access email inboxes and validate the credentials they’ve stolen via phishing.

Figure 2: Black Friday sale for an inbox validation tool

There are also examples of customers making requests. We were able to find cybercriminals registering interest for Black Friday themed phishing kits, as demonstrated by the following post on a Russian-language cybercriminal forum (Figure 3). The user expresses interest in purchasing phishing kits or landing pages that are “on the theme of Black Friday” and provides their Telegram handle for further communications.

Figure 3: Dark web forum users looking to purchase "Black Friday" phishing pages

Real-life phishing kit examples

It’s a misconception that phishing kits are restricted to dark web marketplaces. Our first example ‘16Shop’ is a website that can be accessed from the clear web (the part of the internet publicly accessible from search engines).

For $60, cybercriminals can buy an Amazon phishing kit capable of supporting multiple languages (English, French, German, Japanese). It can farm email logins from providers including Gmail, Outlook, Love, Yahoo and Yahoo Japan, and AOL. It then prompts users to take pictures of their credit cards to steal their payment information.

Figure 4: 16shop's capabilities page for their Amazon phishing kit

One interesting capability of the 16shop phishing kit was the automated checking of IP addresses that reached the phishing domains using a service called antibot[.]pw. This prevents automated security tools/bots from checking the phishing domain prior to users being redirected to them. It’s indicative of a wider trend of phishing kits adding advanced security evasion to their products to ensure victims fall for the phishing page.

Figure 5: 16Shop tutorial for registering phishing domains on the platform

Another phishing kit operator, FreakzBrothers, was selling Amazon phishing kits for $40, offering a polished Phishing-as-a-Service (PhaaS) product. It even comes with a reporting dashboard that can be used to easily track campaigns, victims, and harvested information. These operators also boast about the antibot capabilities on their platform.

Figure 6: FreakzBROTHERS listing for their latest Amazon phishing kit

Figure 7: FreakzBrothers phishing kit platform

Costs can vary between the different phishing kits on offer. For example, FishPanel (Figure 8) advertise a premium subscription service costing $499 upfront and a monthly subscription fee of $199. This gives buyers access to a platform with over 20 pre-loaded phishing kits that target various financial institutions and retail brands. Subscribers also receive an extra 15 phishing kits that are added to the platform each month.

Figure 8: FishPanel users have a variety of phishing kits to choose from on the platform

Buyers can request custom pages from the platform operators, which are advertised as “hand-made” from scratch (Figure 9). This means HTML code isn’t duplicated, helping to further avoid detection from blocklists and secure email gateways (SEGs). The platform also allows customers to customize the information-farming forms displayed to victims on the phishing pages, with the option to be notified via Telegram when new victims have been phished (Figure 10).

Figure 9: FishPanel dark web post specifying custom page creation capabilities

Figure 10: FishPanel operators showing off their Telegram integration

Sorry we missed you! Mailing and shipping scams

Cybercriminals aren’t just targeting people at the buying stage. We’ve analyzed millions of emails and found a 35% rise in the amount of scams related to shipping and delivery around the holiday season. Hackers impersonate mail and shipping brands such as DPD, Amazon, and UPS.

It’s a familiar frustration. You’ve cleared your schedule and made sure you’re at home during the delivery window. Despite listening out for the doorbell all day, a ‘Sorry we missed you’ email pops into your inbox. At this point, many of us will angrily click the link to track our package and rearrange the delivery for as soon as possible. Then one hour later the doorbell goes and your package arrives…

There’s always an uptick in these scams around the festive period, but this year it’s come earlier and the rise has been sharper. With concerns around global supply chains and electronics shortages, it’s likely that people have started buying earlier than they normally would. So, the cybercriminals have started earlier too.

UPS phishing email: Source, BleepingComputer

Can we stop phishing kits?

Phishing kits are tricky to clamp down on. Modern kits can be sophisticated and avoid initial detection by traditional anti-phishing tools. Most tend to live for around 36 hours before they’re caught – which is plenty of time to fool a wide range of victims. Cybercriminals are persistent and well-aware of the short lifespan of a phishing kit. Once one has been shut down, they simply put another up in its place and the clock resets.

You can learn to spot the signs of phishing, and many organizations spend thousands training their employees to. However, some phishing kits can even make cyber experts look twice. We can’t expect end users to catch the most sophisticated phishing emails – as we need them to catch them every time. The best protection for end users is help from intelligent technology.

Egress tips on staying safe

Jack Chapman, Egress VP of Threat Intelligence, offers the following tips for spotting a phishing attack this holiday season:

  • Look for spelling mistakes – one of the easiest ways to spot a phishing email is to look for spelling and grammar mistakes. It’s rare to see spelling errors in a legitimate email from a big brand; often, this is a telltale sign that the email is a scam.
  • Check the email domain – cybercriminals will frequently use an email domain that is similar, but not identical to, the domain used by the brand they’re impersonating. Look closely for small differences, for example numbers where there would usually be letters, or repeated letters. For example, an email from info@amaz0n.com or info@amaazon.com is likely to be a scam. It’s even more important to check this when you’re viewing an email on mobile, as often the full email address is hidden.
  • Hover over links before clicking – cybercriminals want to you click on the links in the email – it’s how they steal your passwords or credit card details, or get you to download malicious software on your device. You can often tell whether a link is legitimate by hovering over it, as this will show you a preview of the real URL. If the email tells you the link is going to amazon.com, but the preview says otherwise, it’s likely a scam.
  • Take your time – hackers are skilled at using social engineering techniques. These frequently rely on creating urgency and rushing you into doing what they want you to do – usually that’s clicking a link or opening a malicious attachment. Take a moment to stop and think before reacting.
  • Protect yourself with intelligent email security. Egress Defend uses machine learning and natural language processing to detect even the most advanced phishing threats. Learn more about Defend here, or claim your free demo and see it in action for yourself.

Interested in learning more about the Crime-as-a-Service marketplace? Download your copy of Phishing-as-a-Service: How cybercrime went commercial.