Threat actors are using AI-powered phishing lures, sophisticated website cloning tools, and remote code execution (RCE) exploits to gain unauthorized access to shopping platforms this holiday season.
In a Nov. 26 blog post, FortiGuard Labs said that AI-driven methods let attackers craft convincing emails and replicas of legitimate websites to steal data or trick users into disclosing sensitive information.
“The report also highlights the growing use of deceptive holiday-themed domains that mimic trusted retailers to lure shoppers with enticing, but fraudulent offers,” wrote the FortiGuard researchers. “Sniffing tools are another critical weapon that enables cybercriminals to intercept sensitive data like credit card details during online transactions.”
Here are some of the report's highlights:
- Shopping-themed phishing lures leverage GenAI: Cybercriminals are using ChatGPT to craft convincing phishing emails, mimicking legitimate communications from retailers and banks. This increases the effectiveness of their scams, especially during peak shopping periods.
- Brand impersonation rampant: Threat actors are ramping up efforts to exploit online shopping trends. Thousands of holiday-themed domains are mimicking trusted brands like Amazon and Walmart and are registered to deceive consumers with fake offers and promotions. Popular platforms such as Adobe Commerce, Shopify, and WooCommerce are prime targets because of to weak configurations and outdated plugins. Attackers are deploying sniffers to capture customer data and using RCE exploits to gain admin access to shopping platforms.
- Darknet services fuel cybercrime: The FortiGuard Labs team has observed a surge in the sale of stolen gift cards, credit card data, and compromised e-commerce site databases. Phishing kits that let attackers set up advanced phishing operations, including services, are being sold for between $100 and $1,000, depending on complexity and customizations. Other services, such as sniffing and custom brute-forcing tools, are also readily available, enabling even low-skilled attackers to exploit vulnerabilities.
The Thanksgiving shopping season exposes retailers to “algorithm poisoning,” in which attackers manipulate dynamic pricing algorithms, said Jason Soroko, senior fellow at Sectigo. Soroko said by injecting false demand signals or exploiting vulnerabilities at the API level, attackers can trigger price drops or modify inventory systems, leading to any number of issues.
“Monitoring APIs for anomalies is a critical countermeasure,” said Soroko. “Loyalty account harvesting also is a potential threat as attackers use credential stuffing to exploit weak passwords, stealing rewards points for resale or fraudulent purchases. Many loyalty programs lack multi-factor authentication, making them easy targets. Retailers must enforce MFA, promote strong password practices, and adopt passwordless technologies to safeguard customer accounts.
Krishna Vishnubhotla, vice president of threat intelligence at Zimperium, added that during the holidays, consumers are flooded with offers and deals. Brands will hit people with persuasive offers with the hopes of tempting them to make a purchase. However, everyone must choose carefully which ads to click on,said Vishnubhotla.
Because employees may shop online and make purchases during business hours using work devices, organizations must protect their employees from phishing links, malicious QR codes, and malicious attachments in these emails across all legacy and mobile endpoints, said Vishubhotla.
“Bad actors are getting very creative in designing email campaigns that bypass traditional detection mechanisms,” said Vishubhotla. “Email attachments and links should be scrutinized by enterprises. Adopting a zero-trust security model and using encrypted communication for sensitive exchanges will further guard against malicious emails.”
