Number of Malicious Shopping Websites Jumps 178% ahead of November e-Shopping Holidays

With Australia’s Click Frenzy and China’s Singles Day just behind us, and Black Friday and Cyber Monday fast-approaching, Check Point Research (CPR) sees a record breaking amount of malicious websites related to online shopping. Hackers are sending consumers enticing email offers with subject lines claiming discounted merchandise as high as 85% off. CPR warns online shoppers to watch out for offers that are too good to be true in the run-up to November’s e-shopping holidays.

· Over 5300 malicious websites spotted per week on average by CPR, marking the highest since the beginning of 2021

· 1 out of 38 corporate networks have been impacted on average per week in November

· CPR provides two visual examples of recent brand impersonations: Michael Kors and Amazon Japan

Check Point Research (CPR) sees a record-breaking amount of malicious websites related to online shopping in the run-up to Black Friday and Cyber Monday.

The Numbers

• On average, over 5300 different websites per week were spotted in the past six weeks
• 178% increase in malicious websites related to e-shopping in the past six weeks, compared to the average in 2021
• 1 out of 38 corporate networks have been impacted on average per week in November, compared to 1 in 47 in October and 1 in 352 earlier in 2021

Figure 1: Sharp increase in malicious shopping websites (Jan – November 2021)

Example A: Michael Kors Impersonation

CPR found impersonations of Michael Kors brand. Fraudulent emails used subject lines below to lure victims onto malicious websites:

• “Fashion MK Handbags 85% Off Shop Online Today”
• “Up to 80% OFF Michael Kors HandBags on Sale, High Fashion, Low Prices”
• “Shop All Michael Kors Handbags, Purses & Wallets Up To 70%”

Figure 2 and 3. Emails allegedly from Michael Kors:

Figure 4. Fraudulent impersonation of Michael Kors website:

Example B: Amazon Impersonation

CPR discovered an email sent from “Amazon. Urgent notice”. The email address contained a Chinese domain and the email had a subject in Japanese saying “System Notification: Unfortunately, we were unable to renew your Аmazon account” (translated from Japanese). The link in the email led to a website masquerading as Amazom.co.jp website in both the name and the look https://www[.]amazon-co-jp[.]fo2j.top/.

Figure 5. Impersonation of Amazon Japan

Quote: Omer Dembinsky, Data Group Manager at Check Point Software:

“We track the number of malicious websites related to online shopping almost every year ahead of the November e-Shopping holidays. This year’s numbers have broken our records. We’ve seen a staggering 178% increase in malicious online shopping websites this time, compared to the previous months in 2021. Hackers are doubling down on the strategy to lure consumers into fraud through ‘too good to be true’ offers, promising large discounts such at 80% or 85% off. Their strategy is to capitalize on a consumer’s excitement after showing an eye-popping discount. I strongly urge consumers to beware of these ‘too good to be true” offers as they shop online on Black Friday and Cyber Monday. You can protect yourself by being attentive to lookalike domains, shopping from reliable sources and spotting password reset and other account related notifications that show excessive urgency. Do not click these links, and if needed - go directly to the website and change details from your account.”

Security Tips for Online Shoppers

• Always shop from an authentic reliable source. Do not click on promotional links you get over email or over social media. Pro-actively google search your desired retail or brand
• Be attentive for look-alike domains. You should notice spelling accuracy in emails or websites, and note unfamiliar email senders or peculiar email addresses you receive promotions from
• Too good to happen shopping offers are indeed too good to happen. A new iPad will NOT go on an 80% discount this season, unfortunately.
• Always look for the lock. Making an online transaction from a website that does not have secure sockets layer (SSL) encryption installed is an absolute NO-GO. To know if the site has SSL, look for the “S” in HTTPS, instead of HTTP. An icon of a locked padlock will appear, typically to the left of the URL in the address bar or the status bar down below. No lock is a major red flag.
• Always be attentive to password reset emails, especially when volumes of traffic online are at peak, like the November shopping season, If you receive an uninvited password reset email, always visit the website directly (don’t click on embedded links) and change your password to something different on the original site.