Just in time for Black Friday, the number of phishing and scam websites is increasing. People on the lookout for a bargain are at risk of having there payment details and personal information stolen.
A German proverb says „a good horse only jumps as high as it needs to”. This is certainly true for a lot of phishing campaigns today. Many of the attempts to scare or otherwise convince users into giving up personal details do not hold up to even light scrutiny. In other cases, a little effort is required to unmask those attempts.
Social Media Ad Campaigns
We have discovered one current campaign that is active on social media platforms such as Facebook. The campaign targets Deichmann, a well known German shoe retailer. Adverts have appeared on Facebook which point to a nearly 1:1 copy of the original website and is apparently made to steal payment data from customers who place orders on this website. Under the hood, it quickly becomes apparent that the site is not what it makes itself out to be. The localization is incomplete and mixes Spanish in with German. Another pretty obvious slipup is that there still is place holder text on the website that the scammers never bothered to replace. Other than that, the copy looks convincing enough and is likely to pass an initial "smell test". We have blurred out the domain name in this case, because the website is still online as of this writing.
Also, an examination of the “WHOIS” record of the domain reveals that the fake domain was registered about a week ago.
To trick users into placing orders, the ads claim that come branches are closing down and offer shoes for a heavily discounted price. To increase pressure, fake information is displayed on the site that suggests that other people have also found this supposed bargain and are about to snap up the discounted item. Needless to say, this information is not being displayed on the original website.
The adverts that are displayed are most likely paid for by unwitting victims who had their Facebook accounts hijacked and stolen. The ads alone can cost hundreds of dollars, and leave victims out of their money as well as without a Facebook account, as we have covered in a previous article.
Other pointers
When examining the source code of the website, in quickly becomes apparent that some of the images that are displayed are being downloaded from the address of a content delivery network that is most likely located in Asia. In addition to this, the fraudsters have apparently made use of some templates for the website to put their own content in. They have not bothered to delete some sample text that is part of said template. IT will not be visible on the web page itself but it is in the source code. This speaks to the level of sophistication with which those sites are being built - they are just copies of the originals, with a little bit extra. In this case, the "extra" is a shopping cart system that appears to be of Chinese origin.
The site is otherwise not very remarkable, and as of this writing does not appear to host or distribute any malware - but that is not to say that there are no websites out there that also do this. After all, many criminals do not put all their eggs in one basket and try to squeeze as much revenue out of potential victims as possible.
The SSL certificate of the fake website is valid. This does not mean much, however. In this case, a valid SSL certificate only means that the website encrypts data in transit. This is pretty much the norm today, and some browsers even display a warning if a website does not have encryption. This might put off most people as is requires at least three clicks to proceed to the site. There are different types of SSL certificates. The most easily available one can be bought by anyone for very little money. All that someone needs to obtain this most basic SSL certificate is provide a valid e-mail address or at least an administrative address from the WHOIS database. This type of certificate is usually enough for things like discussion boards or non-commercial websites. It turns out that there is actually a postal address in the WHOIS reord. But this address points to a commercial estate in the US state of Arizona, near Phoenix. There is a restaurant at or near that address as well as a Best Buy, a Petsmart, a salon and a gym. But nothing remotely connected with shoe retail, much less Deichmann.
Web shops usually have an extended certificate that requires some official documents. This supposed web shop does not have that.
More clues
This approach tends to fall on fertile ground in a time where prices are increasing and people try to save money wherever they can. And since Deichmann is a trusted name, people are less likely to scrutinize the offers. The shoe retailer is not the only target of such fraudulent campaigns, however. Other well known brands also attracts copycats that aim to profit off their reputation and recognition. This is not limited to shoes, but basically to any brand that is usually high priced and outside of what many people can afford. This makes those fake shops even more appealing.
High profile fashion brands, make-up, consumer electronics - you name it, and there probably is a fake shop waiting for people to feed it their personal and payment information.
With all this being said, user must be on high alert whenever an offer literally seem to be "too good to be true". If you place an order on any of those fake shops, you are delivering your personal details as well as any payment information directly to criminals who aim to abuse or monetize your data. This can lead to identity theft as well as substancial financial losses. Therefore, it is advisable to be extra cautious when you see any adverts on your social media feeds that promise very heavy discounts on any (especially luxury) items.
Tim Berghoff
Security Evangelist
Banu Ramakrishnan
Malware Analyst
