Someone claiming to be Kohl’s really wanted to get me a nice orange Dutch oven from Le Creuset.
The email always says this is the department store’s second attempt to reach me, although I think it’s closer to 50 because I’ve had this email several times over the past few months. You likely have too. Maybe not from Kohl’s. Maybe it’s Dick’s Sporting Goods or Costco. No matter who you claim to be from, the outcome is the same: You click a link, fill out some sort of survey, and are asked to enter your credit card information to cover the cost of shipping a free Yeti cooler, a Samsung Smart TV, or that Le Creuset Dutch oven.
These items will never come, of course. All of these emails are scams or emails pretending to be from a person or brand you know and trust in order to solicit information from you. In this case, it’s your credit card number. This last campaign is particularly good at avoiding spam filters. That’s why you may have noticed a lot of these emails in your inbox over the past several months. The fact that they landed in your inbox in the first place plus the factual presentation of the emails and the sites they link to make them more convincing than the usual phishing email. These attacks also usually escalate during the holiday season. So, this is what you should pay attention to.
“The Grinch gets coal from security companies and blocks Christmas IP addresses, which results in more spam using domain structure getting into your inboxes,” Zack Edwards, a security researcher, told Recode. A domain hop architecture is a series of redirects that direct user traffic across multiple domains to help fraudsters hide their tracks and detect and block potential security measures.
Akamai Security Research has identified the fraud campaign in A Modern report. The basic idea behind the scam itself – pretending to be a famous brand and offering a prize in exchange for some personal information – is not new. Akamai has been going after these kinds of grifts for a While. But this year’s version is new and improved.
“This is a reflection of the adversary’s understanding of how security products work and how to use them for their own benefit,” said Orr Katz, Principal Security Researcher at Akamai.
Basically, these scammers deploy a lot of technical tricks to evade scanners and bypass spam filters behind the scenes. This includes (but is not limited to) directing traffic through a mix of legitimate services, such as Amazon Web Services, and is the URL of many scam emails that appear to be associated with them. Bad actors can identify the IP addresses of fraud tools and detect and block known spam, which also helps them bypass those tools, Edwards said.
Akamai said this year’s campaign also included a new use of part identifiers. You’ll see this as a string of letters and numbers after the hash mark in the URL. They are normally used to send readers to a specific section of a website, but scammers have been using them instead to send victims to completely different websites. According to Katz, some fraud detection services do not or cannot scan for part identifiers, which helps them avoid detection. However, I told Google Recode that this particular method wasn’t enough to bypass spam filters.
“What we see in this recently released research is the use of new and sophisticated technologies, which indicate the evolution of the fraud, reflecting the adversary’s intent to make their attacks difficult to detect and classify as malicious,” Katz said. “And as we can see, it works!”
But you don’t see any of that. Only you see the emails. At best, they’re annoying, and at worst, they can trick you into giving your credit card details to people who will presumably use that information to buy a lot of stuff on your tab. The fact that they are in your inbox in the first place adds a deceptive appearance of legitimacy, and both the emails and websites they send to victims look better, and thus may be more convincing than some typical phishing attempts. They also seem to change according to the season or time of year. The Akamai examples, which I collected weeks ago, have a Halloween theme. The latest phishing messages send users to a website that boasts a “Black Friday Deal”.
“Holiday craft banners are pretty unique, so this is a great new addition,” said Edwards.
And they are all spread on what appears to be a massive scale, which is why most people reading this probably received not just one of these emails, but an onslaught of them stretching out over months.
Or, as a co-worker put it to me when she redirected me to just one example of the many scam emails she’d received in her Gmail inbox: “Help.”
A Google spokesperson told Recode that the company is aware of the “particularly aggressive” campaign and is taking action to stop it.
“Our security teams have determined that spammers are using another platform’s infrastructure to create a pathway for these abusive messages,” they said. “However, even as spammer tactics evolve, Gmail is actively working to block the vast majority of this activity. We are in contact with the other platform provider to resolve these vulnerabilities and are working hard, as always, to stay ahead of the attacks.”
Google also recently released a blog post Warning users of scams common this holiday season, fake giveaways were high on the list.
“Get an offer that seemed too good to be true? Think twice before clicking any links,” writes Nelson Bradley, director of Google Workspace Trust and Safety.
Google has also indicated that it blocks 15 billion spam emails every day, which it believes is 99.9 percent of the spam, phishing, and malware emails that are sent to its users. Bradley writes that in the past two weeks, there has been a 10 percent increase in malicious emails. To be fair, I think there are more fake Kohl’s giveaway emails sitting in my spam filter than in my inbox.
The spokesperson added that Gmail users can use the “Report Spam” tool, which helps Google Better identification and prevention Spam attacks in the future. Beyond that, typical How to avoid Get phishing The tips still apply. Check the sender’s email address and the URL it links to. Do not give out your personal information, especially your account passwords or credit card numbers. Take a few seconds to think about why Kohl’s would randomly decide to give you Le Creuset bakeware or Dick’s would give you a hundreds of dollars’ worth of Yeti cooler just for answering a few basic survey questions. The answer is that they won’t.
You can also spend Black Friday shopping for real items in real stores (or on their real websites) and giving your credit card details to real employees. Good luck out there. A Google spokesperson said the company expects the scam campaign to “continue at a high rate throughout the holiday season.” So it will almost certainly continue even after Black Friday ends.