Someone who claims to be Cole’s really wants me to have a beautiful orange Le Creuset dutch oven.
The e-mail always states that this is the second time this chain department store has contacted me, but I have received this e-mail over and over again in the last few months, so this is the 50th attempt. I think it’s close to You probably have too. Maybe it’s not Cole’s. It could be Dick’s Sporting Goods or Costco. Regardless of who it’s from, the result is the same: you click the link, fill out some sort of survey, and get a free Yeti cooler, Samsung Smart TV, or that Le Creuset Dutch oven.
Of course those items never come. These emails are all phishing scams, or emails pretending to be people or brands you know and trust to get information from you. In this case, it’s a credit card number. This latest campaign is especially good at bypassing spam filters. So you may have noticed that your inbox has been flooded with these emails over the past few months. The fact that they landed in your inbox first and the realistic representation of the emails and the websites they link to make them more convincing than typical scam emails. It also increases during the season. So, there are some things you should be careful about.
“The Grinch bought a security company for Christmas and blocked IPs, so spam using a domain hopping architecture started arriving in our inboxes,” says security researcher Zach Edwards. he told Recode. A domain hop architecture is a series of redirects that route a user’s traffic to multiple domains, helping fraudsters hide their tracks and detect and block potential security measures.
Akamai Security Research identified a fraudulent campaign in a recent report. The basic idea behind the scam itself (impersonating a well-known brand and offering prizes in exchange for personal information) is not new. Akamai has been tracking this type of flaw for some time. But this year’s version is new and improved.
“This reflects an attacker’s understanding of how security products work and how they use them to their advantage,” said Or Katz said.
Basically, these crooks deploy many technical tricks to evade scanners and pass spam filters behind the scenes. This includes, but is not limited to, routing traffic through a combination of legitimate services such as Amazon Web Services. Malicious individuals can also identify and block his IP address for known fraud and spam detection tools, which also helps evade these tools, Edwards said.
According to Akamai, this year’s campaign also included a novel use of fragment identifiers. These appear as a series of letters and numbers after the hash mark in the URL. These are typically used to direct readers to a specific section of her website, but the scammers used them to direct victims to a completely different her website. Katz said some fraud detection services don’t or can’t scan fragment identifiers, which helps them avoid detection. That said, Google tells his Recode that this particular method alone isn’t enough to bypass spam filters.
“What we see in this recently published study is the use of new and sophisticated techniques that reflect adversaries’ intent to make attacks harder to detect and classify as malicious. It shows the evolution of fraud,” said Katz. “And as you can see, it works!”
But you see none of that. Just look at your email. At best it’s annoying and at worst it can trick you into giving out your credit card details to people who are supposed to use that information to buy many things on your tab in the first place. The fact that the email is in your inbox adds a veneer of legitimacy and can be more convincing than a typical phishing attack as both the email you send to the victim and the website look good. It seems to change depending on the season and time. His Akamai example I collected a few weeks ago has a Halloween theme. A recent phishing email directs users to his website promoting a “Black Friday special.”
“The literal holiday banner is unique, so it’s a cool new addition,” says Edwards.
And it’s all obviously deployed on a massive scale, which is why most people reading this are probably not just one of these emails, they’ve been onslaught for months .
Or, as one of my colleagues told me when he forwarded me an example of just one of the many scam emails he received in his Gmail inbox, “Help.”
A Google spokesperson told Recode that the company is aware of “particularly aggressive” campaigns and is taking steps to stop them.
“Our security team has confirmed that spammers are using another platform’s infrastructure to route these abusive messages,” they said. “However, even as spammers’ tactics evolve, Gmail is still actively blocking the majority of this activity. We are in contact with other platforms and his providers to resolve these vulnerabilities. And as always, we are working hard to stay ahead of the attack.”
Google recently published a blog post warning users about scams common during the holiday season, and fake gifts were at the top of the list.
“Received a great offer? Think twice before clicking the link,” writes Nelson Bradley, manager of Google Workspace Trust and Safety.
Google also noted that it blocks 15 billion spam emails every day. This is believed to be his 99.9% of spam, phishing, and malware emails sent to users. In the past two weeks, Bradley writes, he’s seen a 10% increase in malicious emails. To be fair, I think I have more fake call giveaway emails left in my spam filter than in my inbox.
The spokesperson added that Gmail users can use the “Report Spam” tool. This helps Google better identify and prevent future spam attacks. Beyond that, common practices to avoid getting phished tips still apply. Check the sender’s email address and destination URL. Never give out personal information, especially account passwords or credit card numbers. Think about why Coles decided to randomly give you a Le Creuset bakeware, or why Dick’s gives you a Yeti cooler worth hundreds of dollars just by answering a few basic survey questions. Look. The answer is no.
You can also buy physical goods at a physical store (or physical website) on Black Friday and provide your credit card details to a physical employee. Please do your best. A Google spokesperson said it expects fraud campaigns to “continue at a high rate throughout the holiday season.” So it will almost certainly continue after Black Friday is over.