Although Black Friday and Cyber Monday are behind us, consumer scams are likely to continue surging through the coming month. Malicious actors know that online retail spikes during the holiday season, so they increase their efforts to spread ad malware rather than good cheer.

Cautious consumers might be on the lookout for malicious apps and websites, but another tactic that cybercriminals will likely leverage extensively is malvertising — ads embedded with malware. Retailers also tend to prioritize customer experience over data security, so it’s important to understand how to avoid malvertising scams and prevent opportunistic threat actors from affecting your network during the holiday season.

Recognize the Risk

According to a Black Friday digital fraud report from RiskIQ, “Some fake apps contain adware and ad clicks or malware that can steal personal information or lock the device until the user pays a ransom. Others encourage users to log in using their Facebook or Gmail credentials, potentially exposing sensitive personal information.” In fact, the researchers from RiskIQ found that the brand names of the five leading retailers were frequently used in malicious and fraudulent mobile apps.

With virtually every retailer promoting online shopping deals, the internet is a hotbed of opportunity for scams. Jerome Dangu and Jack Cohen Martin, co-founder and CPO, respectively, of antimalvertising firm Confiant, said they uncovered what appeared to be the initial attack in an ongoing malvertising campaign on Nov. 12. During the course of discovery, Confiant blocked over 5 million malvertising impressions on the Google Play store meant to impersonate legitimate app downloads.

Because the ads were served in a top-tier exchange, more than 300 million bad impressions were served to publishers in just over a 48-hour period, Dangu and Cohen Martin explained. By comparison, the Zirconium group, named by Confiant as 2017’s largest malvertising operation, created and operated 28 fake ad agencies to distribute malvertising campaigns and was responsible for 1 billion impressions over the course of a full year.

Malvertising can target specific companies, but this particular campaign went after iOS users and used two domains and two types of payloads.

“One family of landing pages was more focused on fake offers from Amazon gift cards and Walmart, in differing denominations and variations,” Dangu explained.

How to Spot an Ad Malware Scam

The scam is essentially a way for an attacker to retrieve user data and resell it. Users are often delivered to fraudulent landing pages where they are asked different types of marketing questions about things like their insurance or interest in electronics.

“The attacker is getting an affiliation share on these forms that get submitted, but you can never get out of this loop of forms,” Dangu explained. “Users could enter their data forever until they finally realize it’s a waste of time and they aren’t getting an iPhone for a dollar.”

Because malicious actors have become increasingly sophisticated, the fraudulent landing pages they use appear legitimate.

“They are exploiting the user’s trust by creating malicious landing pages that adopt the same color scheme as Facebook or Google, for example. It’s important for users to make sure they are where they think they are and check the full URL address,” Cohen Martin said.

All Eyes on Mobile

In monitoring malicious traffic over the last year, Confiant saw one major change from the previous years that saw surges in malware and malvertising campaigns on browsers.

“Mobile is used more and more,” Dangu said. “Attackers are targeting more mobile through scam approaches, which is disturbing for publishers.”

In one case, ads were redirecting users to get them to subscribe to adult dating sites, and the cybercriminals were getting a cut on those subscriptions. Mobile sites tend to have more ads, and because of that density, it is more difficult to identify a scam.

“Because of the nature of business, the ads are being digitally placed there, and it is hard to get 100 percent visibility into what is going on,” said Dangu. “Service providers and exchanges need to do their part to prevent these types of risks from being available.”

How to Avoid Malvertising Scams

Given the evolution of scammer’s methods, it’s important to remember that if a deal seems too good to be true, it probably is.

“Consumers should be wary of deals and go directly to sites they trust,” said Mike Bittner, digital security and operations manager of The Media Trust.

Bittner also emphasized the responsibility of brands to identify all the code executing on their websites and mobile apps.

“Chances are high that online companies only know a small fraction of the 50–95 percent of code in their digital assets provided by third parties,” he said.

Security leaders can help protect their employees by integrating a holiday retail scam identification practice into their regular security awareness training program. They can also defend networks by deploying artificial intelligence-enabled software to flag anomalous behaviors that could potentially represent a breach.

Consumers have a choice when visiting e-commerce sites. Although it’s advisable to rely on trusted, reputable brands with strong ratings, cybercriminals are eager to exploit that trust by visually replicating those very brands. Staying cautious and fully aware of your online navigations will help you to remain safe during the holiday season and all year long.

More from Retail

5 ways to improve holiday retail and wholesale cybersecurity

4 min read - It’s the most wonderful time of the year for retailers and wholesalers since the holidays help boost year-end profits. The National Retail Federation (NRF) predicts 2022 holiday sales will come in 6% to 8% higher than in 2021. But rising profits that come at the cost of reduced cybersecurity can cost companies in the long run when you consider the rising size and costs of data breaches. The risk of data breaches and other cyber crimes can make this shopping…

Cost of a Data Breach: Retail Costs, Risks and Prevention Strategies

3 min read - Whether it’s online or brick-and-mortar, every new store or website represents a new potential entry point for threat actors. With access to more personally identifiable information (PII) of customers than most industries, bad actors perceive retail as a great way to cash in on their attacks. Plus, attackers can duplicate attack methods more easily since retailers share similar cybersecurity infrastructure. The good news for retail is that the cost of a data breach in the sector remains low compared to…

Lessons Learned by 2022 Cyberattacks: X-Force Threat Intelligence Report

3 min read - Every year, the IBM Security X-Force team of cybersecurity experts mines billions of data points to reveal today’s most urgent security statistics and trends. This year’s X-Force Threat Intelligence Index 2022 digs into attack types, infection vectors, top threat actors, malware trends and industry-specific insights. This year, a new industry took the infamous top spot: manufacturing. For the first time in over five years, finance and insurance were not the top-attacked industries in 2021, as manufacturing overtook them by a…

Magecart Attacks Continue to ‘Skim’ Software Supply Chains

4 min read - Did your company or e-commerce firm recently buy third-party software from a value-added reseller (VAR) or systems integrator? Did you vet the vendor code? If not, you could be at risk for a Magecart group attack. Magecart is an association of threat actor groups who target online shopping carts, mostly from within the e-commerce platform Magento. The Magecart name is derived by combining ‘Mage’ (from Magento) with ‘cart’ (shopping cart). This type of attack is especially dangerous as it only…