Rise in Retail-Focused Phishing Campaigns During Pandemic
May 19, 2020 • Allan Liska
As people around the world have had to stay home because of the COVID-19 pandemic, there has been a noted increase in online shopping. Whether that shopping is in the form of meal delivery, grocery shopping, or buying household items, people are relying on online services more than ever before. Unfortunately, this also appears to have led to a significant increase in phishing and typosquatting campaigns targeting retail organizations.
As the image below demonstrates, there has been a significant increase in the number of phishing campaigns in the first half of this year. A small part of the increase can be attributed to better collection capabilities than in 2019, but the majority of the increase is because of an increase in activity. Note the increase in retail-focused phishing campaigns in December of 2019, which is consistent with expected phishing activity associated with the Christmas holiday. Normally, there is a steep dropoff in this activity starting in January, but that did not occur.
To put the numbers in context, from March 1 through April 30 of 2020, Recorded Future tracked 7,934 retail-focused phishing campaigns, versus 4,319 in 2019 — an 83% increase in campaigns.
In addition to the rapid increase in phishing campaigns, there has also been a rise in typosquatting domains — domains designed to look like famous retail brands to either create fake online stores or use as part of a phishing campaign. As expected, top retail brands are the most heavily targeted using this tactic.
For example, Recorded Future noted 163 registered domains or subdomains registered from March 1 through April 30 pretending to be related to Amazon. Some of the malicious domains are designed to be used as fake websites, such as mail[.]amazon-login[.]online, while others are designed to be embedded in phishing emails, such as amazon-payment-declineds[.]theworkpc[.]com. Of course, Amazon is not the only major brand being heavily targeted right now — most of the major retail companies have seen a spike in domain registrations targeting their brand.
As Recorded Future has discussed previously, threat actors behind phishing campaigns are quick to adapt to changing situations. These threat actors are aware that more people are ordering delivery, so they have also targeted food delivery services. There were more than 40 malicious domains registered that were similar to Grubhub during the same period, and more than 70 that were similar to DoorDash. The grocery sector was also heavily targeted during this same period, with more than 150 typosquatted domains mimicking Kroger, 50 registered domains similar to Aldi, and more than 50 mimicking Publix.
Luxury brands have also been targeted during this period, with more than 400 Rolex typosquatted domains registered, and over 250 Macy’s typosquatted domains.
The actors behind these phishing and typosquatting campaigns are very aware of what is happening in the world and they design their campaigns to prey on the things that are of greatest concern to their potential victims. Unfortunately, it is necessary to remain vigilant of even legitimate looking emails to ensure you are not giving your financial information to the wrong person.
Ready to take action? Download Recorded Future Express, our free browser extension, to start protecting your organization against phishing and typosquatting campaigns today.