It’s that time of the year again, and no matter what holiday or tradition you choose to observe (or even if you choose to observe nothing), it’s not unusual to spend time with friends and family, share good food, exchange gifts, and go out of your freaking mind in the process. The retail push that bombards us from September onward – a double entendre appropriately labeled ‘Christmas Creep’ – is a minefield of spam that sheds any dignity as it comes at us in many forms. Store displays, television ads, printed fliers, and of course, endless email messages, are merely directives from retailers informing us that while we’ve been good all year, they fully expect us to go deep into debt come December 25th.
Sounds like fun, doesn’t it? Call it Christmas, Hanukkah, Kwanzaa, or whatever you prefer, this time of the year will test even the strongest of us, leaving nothing but a quivering mass of jelly by the time it’s all over – a likely reason why so many people voluntarily pickle themselves on New Year’s Eve. If that wasn’t bad enough, it’s made worse by the sobering realization that, like retailers, scammers are out in full force this holiday season, preying on people who are so inundated with the stress and flurry of activity that they often can’t tell the difference between a legitimate email and a spam message.
Spammers are opportunists. They use human weakness to their benefit, exploiting people and capitalizing on the things that make us vulnerable. We see these exploits all the time, but no time of the year is more dangerous than right now. Brian Krebs writes, “Malware purveyors and spammers are blasting these missives by the millions each day in a bid to trick people into giving up control over their computers and identities.” He’s talking specifically about ‘order confirmation’ emails, and while those among us who live for security can spot these things from a mile away, remember that most people aren’t attuned to the tactics of scammers, and they’re not naturally skeptical.
The order confirmation is particularly wily, and you have to admire it for what it is. Emails are blasted out to mailing lists, well-crafted messages designed to look like the real deal. Scammers choose retailers that trick people into believing it. Walmart, Amazon, Target, Costco, and so-on. These scams work because the general public is trying to deal with the flurry of activity and stress that come with the holiday season. Krebs points out that seasonal scams are “a perennial scourge of the holidays, mainly because the methods they employ are reliably successful. Crooks understand that it’s easier to catch would-be victims off-guard during the holidays. This goes even for people who generally know better than to click on links and attachments in emails that spoof trusted brands and retailers, because this is a time of year when many people are intensely focused on making sure their online orders arrive before Dec. 25.”
Krebs says that, according to security firm Malcovery, order confirmation scams typically began around American Thanksgiving in late November. Thanksgiving is the symbolic and de facto beginning of the retail feeding frenzy that engrosses people during the holiday season. The order confirmation scams, according to Malcovery, “use both booby-trapped links and attached files in a bid to infect recipients’ Windows PCs with the malware that powers the Asprox spam botnet.” Asprox is a Trojan that harvests credentials from infected machines, turning the host into a zombie and committing Asprox malware attacks. “The malware also deploys a scanning module that forces hacked PCs to scan websites for vulnerabilities that can be used to hack the sites and foist malware on visitors to that site.”
Keep in mind that this is just one of the many exploits that scammers utilize to compromise unwitting users. But it’s worth detailing because of it’s particularly nasty implications. People order online, and with each passing year, more people are realizing the benefits of staying home and making purchases in front of the warm glow of the computer monitor. Black Friday, the day after Thanksgiving, has always been the biggest retail day in the United States, and while it’s recently taken off in other countries as well, this year saw a drop in Black Friday sales, while Cyber Monday (the Monday after Thanksgiving) has shown marked increases, 15.7% over last year, according to one report. More online purchases means more likelihood that spam order confirmations will reach unwitting users who are ready, willing, and able to click those malicious links.
To add insult to injury spammers are compromising email accounts as well as social media in the guise of sharing holiday photos. Recently we saw a customer whose mail was compromised via a phisihing attempt claiming a friend had wanted to share images on dropbox. Subsequently the contents of their email address book was used as fodder to spread the dropbox scam and as a final kick in the pants her webmail address book was deleted.
When it comes to email, be cautiously pessimistic before you click on anything… To all you scammers and spammers lost in the interweb of broken dreams you helped create, we share this warm holiday greeting.