Advanced Cyberthreats Targeting Holiday Shoppers

December 2, 2024

The holiday season is a boon time for e-commerce worldwide, with Black Friday and Cyber Monday driving sales on every major e-commerce platform, with further waves of traffic continuing up until the new year. The high amount of money changing hands naturally attracts threat actors, who all want their own piece of that pie. Scams during the holiday season have been a common practice for years, but the new innovations of generative AI have made them more dangerous than ever before.

This year, one of the biggest issues individual consumers have to watch out for is phishing emails with lures crafted by generative AI programs such as ChatGPT. With new training data, these tools can be used to generate lures impersonating trusted brands, creating phishing emails purporting to be from retailers and banks. Investigators have identified discussions on the dark web between hackers discussing how to manipulate ChatGPT into producing better lures. In connection with these phishing attempts are the numerous attempts by threat actors to create mimic websites impersonating trusted brand in order to intercept retail traffic. These have gotten more complex as well, with threat actors taking more advantage of zero-day vulnerabilities to penetrate e-commerce platforms and set up their own duplicates, as well as deploy credit card skimmers to intercept traffic. This intercepted traffic has extensive space on the dark web, where threat actors realize on their gains by selling stolen gift cards, stolen credit cards, and even compromised e-commerce website databases.

It is not consumers alone who face dangers during the holidays. This year, businesses are also being targeted through the same processes that target consumers. Phishing scams and fake websites are used to trick these businesses into providing access, allowing threat actors to compromise databases and harvest valuable data that can be sold on the dark web. Anyone can be a potential target of these attacks, and both consumers and sellers should be wary during the holiday season. Everyone should be educated on the dangers of phishing, but businesses in particular need to verify that they have strong access controls, especially in sensitive areas such as admin panels.

More from Blackwired

January 13, 2025

Seven Trends to Watch for in 2025

In 2025, cybersecurity will focus on MFA, non-human identities, app security, attack surface mapping, and data-driven insights.

Read more
January 6, 2025

New "DoubleClickjacking" Exploit Bypasses Clickjacking Protections on Major Websites

Doubleclickjacking tricks users into granting permissions via a stealthy UI change, posing security risks. Browser standards must evolve.

Read more
December 30, 2024

Using CAPTCHA for Compromise: Hackers Flip the Script

Fake CAPTCHA pages can trick users into phishing or running malicious scripts, exploited by groups like APT28 to compromise systems.

Read more