Holiday Shopping Season Phishing Emails

The Holiday Shopping Season is fast approaching and this means new phishing email campaigns. During the excitement of Holiday shopping, users can often be in a rush to get shopping done, and make hasty decisions when confronted with unexpected or unsolicited emails. Don’t let haste lead to a compromised system; prepare your users. Now is a good time for Security Administrators to educate their users about how to identify phishing emails, and to be sure user’s systems are patched.

The graph below shows the seasonal increase in online shopping activity seen in Dell SonicWALL telemetry data for DNS queries to Amazon.com during the final quarter of 2013. This pattern illustrates the increase in online shopping by Dell SonicWALL customers. During this quarter the risk for phishing email campaigns is also increased. In the graph you can see the weekly variation in DNS queries to Amazon.com, as well as the increase leading-up to Christmas Day. The traffic appears to spike in the first week of December. We expect a similar pattern this year as well.

Amazon.com DNS Queries Hits for Last 3 Months of 2013

An important skill to stay safe online is how to identify fraudulent domain names used in phishing emails. Scammers will usually try to deceive end users by disguising the true second-level domain, by prepending legitimate, familiar names to the beginning of the hostname. Appearing to come from a legitimate source, the phishing email will contain links to sites that host exploit code with the hope that the user have unpatched systems and vulnerable web browsers, and the goal of compromising the user’s system.

Phishing campaigns during past Holiday seasons include fraudulent emails appearing to be from sites like Amazon.com, U.S.P.S., FedEx, and other companies involved in holiday commerce. A typical phishing email will be from a domain like customer_service@amazon.com–0123-xyz.malicious-site.com, and contain a message about a free gift card, or an order confirmation request, or shipment tracking links. These links go to the attacker’s domain, malicious-site.com, and not amazon.com.

Best practices for avoiding phishing scams are:

Educate end users on how to hover over links in emails to identify the real domain name in the email from address, as well as in any links in the email body.

For users that are unable to identify domain names in links and email addresses, advise them never to click on a link sent in an email, but rather to open the site in a browser by typing manually in the address bar to ensure that they are going to the legitimate site.

Always report suspicious emails to your Security Administrator, or directly to the site being spoofed. If in doubt, ask before clicking.

Stay up-to-date with software patches for Operating Systems, web browsers and all other software on the computer.

Install and keep up-to-date host-based, and network-based Gateway Anti-Virus, and Intrusion Detection systems.