Full Report
Co-authored by: Sriram P and Deepak Setty ‘Tis the season for scams. Well, honestly, it’s always scam season somewhere. In... The post ‘Tis the Season for Scams appeared first on McAfee Blog.
Analysis Summary
# Main Topic
Elevated threat activity focused on Social Engineering Scams targeting consumers during the holiday season (Black Friday, Cyber Monday, Christmas, and New Year), leveraging seasonal excitement, fake deals, and supply chain issues to induce fraudulent transactions or malware infections.
## Key Points
- Scam losses reported to the Internet Crime and Complaint Center (IC3) reached over $4.1 billion in 2020, marking a 69% increase over 2019, highlighting the high stakes during peak shopping periods.
- The primary vectors initiating scams during the holiday season are expected to be SMSishing, email-based Phishing, and push notifications.
- Techniques employed include creating a sense of urgency regarding limited-time deals, utilizing unbelievable discounts/gift cards, and deploying scare tactics (e.g., fake contact from FBI, IRS) or emotional appeals (e.g., romance scams, fake charity requests).
- Specific scam lures observed include fake online stores (non-delivery scams), bait deals due to supply chain issues, scams targeting the elderly for medical equipment/gifts, and gaming credit scams (e.g., PUBG Arcane Vbucks generator).
- One observed technical pattern involves social engineering landing pages that force users into completing surveys or granting permissions (like push notifications) under the guise of "human verification" to claim rewards, resulting in the user taking unwanted surveys instead.
## Threat Actors
- Threat actors are generally opportunistic scammers taking advantage of seasonal consumer behavior (holiday excitement, urgency).
- Specific attribution is not provided, but actors target demographics including the elderly and gamers seeking free credits.
## TTPs
- **Social Engineering:** Leveraging holiday excitement, perceived supply chain shortages, and emotional vulnerability (fear, guilt).
- **Delivery Context:** Non-delivery scams (taking payment but never shipping goods).
- **Urgency/Scarcity:** Claiming low inventory or limited time offers to rush decision-making.
- **Luring and Baiting:** Offering deals on sought-after electronics or holiday gifts.
- **Phishing Vectors:** SMSishing, email phishing, and push notifications used to initiate contact.
- **Survey/Verification Scams:** Using fake progress bars and mandatory "human verification" steps that lead to survey completion or unwanted subscription solicitations (e.g., enabling push notifications).
- **Typo-Squatting:** Used in conjunction with phishing links.
## Affected Systems
- **End-User Devices:** Mobile phones and desktops targeted via SMS, email, and browser notifications.
- **Platforms Targeted:** Online shopping environments, gaming platforms (e.g., PUBG).
- **Vulnerable Groups:** Consumers engaging in online shopping, elderly relatives, and children seeking gaming credits.
## Mitigations
- **Vigilance on Pushed Content:** Be highly suspicious of anything pushed via unknown sources (email, SMS, social media ads, calls).
- **URL Validation:** Always hover before clicking links. Use trusted free resources to validate domains/businesses before interacting:
- `hxxps://trustedsource[.]org/`
- `hxxps://www[.]virustotal[.]com/gui/home/url`
- `hxxps://www[.]bbb[.]org/` (for business validation)
- **Handling Urgency/Scare Tactics:** Stop, think, and fact-check unexpected communication, especially if personal or financial information is requested. Do not divulge sensitive data over unexpected calls.
- **Donations:** If donating, use reputable, known organization websites directly rather than responding to unsolicited requests.
- **Notification Security:** Do not click "Allow" on unexpected popups requesting permission for website notifications, as frequently used for survey redirection campaigns.
## Conclusion
The holiday season presents a predictably heightened threat landscape dominated by social engineering scams leveraging shopping excitement and urgency. While no specific technical IoCs (IPs, hashes) are provided in the context, the report emphasizes behavioral modification as the primary defense. Consumers must prioritize caution regarding unsolicited offers, rigorously validate URLs, and resist pressure tactics to avoid financial loss or potential malware exposure via survey/verification hoops. Education of family members, particularly vulnerable groups, is essential.