Avoid these scams this Black Friday and Cyber Monday

The Thanksgiving holiday is this Thursday, the unofficial start to the Christmas shopping season in the US, followed by Black Friday and Cyber Monday.

People will surely go online in droves searching for deals, and cybercrooks and scammers know this is the perfect time of year to take advantage of those who aren’t aware of the risks.

For the past few days, SophosLabs has seen plenty of spam promoting suspicious and deceptive websites under the guise of great deals.

In one example, our spam traps caught a message purporting to offer Black Friday deals on “the car of your dreams.”

black friday_728

The email claimed to be from JC Penney, a well-known US retailer…

…that sells affordably priced clothing and home goods, not cars.

The email wasn’t really from JC Penney at all, of course – the “from” header was forged – and the Black Friday auto deals don’t exist.

If you click on the image in the email, you’re taken to a blank website that immediately redirects you to another website hosting ads for a variety of deals, for everything from home and auto insurance to diet, online education and travel deals -the car deal is “no longer available.”

Spam redirect website

SophosLabs researcher Biprotosh Bhattacharjee tells me that this is a common technique for spammers who can change out the “default” content of the website at any time and replace it with scams or malicious webpages.

Another suspicious “deal” SophosLabs saw this week was spam offering deep discounts on Ugg boots, which normally retail in the US for upwards of $100, but the email subject line claimed to offer Uggs “on sale” for only $65.

The spam links to a domain with “Black Friday 2015” in the URL, a website which redirects to another site offering “crazy” Thanksgiving deals on Ugg boots, and displays an Ugg logo.

ugg scam website

Looking more closely, however, we can see there are several indicators that this website is a scam, beyond the obvious typo (“Thanksgivin”).

The biggest warning sign is that the scam website does not use the URL of the actual Ugg website (uggaustralia.com).

And if you attempt to purchase any of the items, you’re taken to an insecure payment page that doesn’t use HTTPS (signified by a padlock in the browser address bar).

The payment page asks for your credit card information, but there is only one option from the dropdown menu which doesn’t differentiate between the different types of credit card, such as Visa or Mastercard.

Although it’s tempting to believe offers for items priced well below retail, there’s a good chance these “Ugg” boots are cheap knock-offs – Ugg itself has warned customers that it has worked with law enforcement to take down over 60,000 sites offering counterfeit versions of its products.

Don’t fall for online deals like this. So-called affiliate networks help spammers to make money by driving people to these websites offering knock-off versions of well-known brands, like Apple products and even prescription drugs like Viagra.

In general, Naked Security writer and Sophos expert Paul Ducklin says, you should steer clear of super-cheap product offers that arrive in unsolicited emails:

Even if you think that the crooks will take every care with your payment details and your identity, and even if the goods you are buying turn out to be the genuine article, why give these guys your business? Instead, ask yourself, "Do I consider a spam campaign to be the basis of a business relationship founded on mutual trust?"

Tips for safe online shopping

  1. If it sounds too good to be true, it IS too good to be true. There is no such thing as a free iPhone 6!
  2. Never fill in purchase details on a website that doesn’t use a secure (encrypted) connection. Don’t be fooled by padlock images in the webpage itself: look for the padlock in your browser’s address bar.
  3. Don’t click on links in unsolicited emails. Those links could land you on a phishing website or a website that will infect you with malware via what’s known as a drive-by download. Always type in the website address, but be careful of mistyped addresses where cybercrooks may be squatting. Bookmark the sites you typically visit for shopping, banking, etc.
  4. Watch out for sites that ask for way too much information, such as your card PIN – which is not used online – Social Security number or national ID number. And never share your passwords. IF IN DOUBT, GIVE NOTHING OUT!
  5. Scrutinize your bank statements. Check your bank account transactions regularly for signs of fraud, particularly after making purchases online. If you discover payments that you can’t identify, notify your bank immediately.

Image of mega-explosive sale sign courtesy of Shutterstock.com.