Throw in a discount: scammers changed tactics before Black Friday
In the run—up to Black Friday, scammers have changed their approach to deceiving gullible customers - instead of fake marketplaces, malicious applications and Trojan files are now being distributed under the guise of "discount coupons" and "special offers." They offer to install the program and get access to bank data, documents, photos and contacts. According to experts, the number of these attacks will be comparable to the number of fraudulent sites.
How malicious files are offered to customers instead of discounts
On the eve of the autumn sales, phishing remains the most common type of online fraud, but today it is taking on new forms, a data analyst at the RU/ Domain Coordination Center told Izvestia.Russian Federation Evgeny Pankov. Previously, most schemes consisted of a user switching to a fake website of an online store or marketplace, where the deceived buyer of discounted goods himself transferred his money to fraudsters, but now attackers are increasingly distributing malicious applications and Trojan files under the guise of "discount coupons."
— The user may be offered to download a "discount coupon", a "mobile store application" or a "special offer" for Black Friday, but in reality it may be, for example, an APK file with a Trojan. As soon as he opens the file, he downloads the virus to his device, which gives the scammers access to it," said Evgeny Pankov.
According to him, in addition to controlling the victim's device, the attackers gain access not only to financial data, but also to documents, photos and a list of contacts. In the future, the information collected can become the basis for attacks aimed at both the victim and her relatives and acquaintances.
Izvestia has seen similar cases. Recently, on one of the forums, a user said that MTS representatives allegedly called him on the phone to find out if he was satisfied with the tariff. After that, he was promised service with a 20% discount and offered to continue communicating in one of the messengers. There, he was sent a file supposedly designed to automatically set 5G settings (although this technology does not work in Russia yet). The user did not download this file to his phone, as the MTS employees insisted, but opened it in a browser on his computer. After his question about the contents of the file, the senders deleted it and reset the call. The antivirus on the PC identified it as a Trojan-Banker designed to steal the credentials of users of online banking, electronic payment systems and plastic cards.
Judging by the entries in the forums, other consumers have also encountered similar schemes. So, one of them noted that he also received calls posing as MTS employees, but he always hung up because he stopped using the services of this operator five years ago.
Another person reported on the forum in early October that previously calls with discount offers were rarely received, but now 3-4 times a day.
How can a trick be recognized?
The change in format by fraudsters is understandable — mobile software and files give attackers broader opportunities and long-term access to the device than a one-time forgery of the site, Anton Nemkin, a member of the State Duma Committee on Information Policy, Information Technologies and Communications, federal coordinator of the Digital Russia party project, explained to Izvestia. He believes that the number of these attacks will be comparable to the number of fraudulent sites.
— The attack mechanics are simple and dangerous. The victim is offered to download a "super discount" through a link in an advertisement, social network or messenger, the installed application requests extended rights (access to SMS, contacts, file system) and immediately implements a Trojan that steals bank data, intercepts two-factor authentication (2FA) codes, and collects documents and photos, he said. Anton Nemkin.
He stressed that the second wave of consequences is especially serious: having gained access to the victim's address book and communications, attackers carry out attacks "on behalf of acquaintances" — sending malicious links, lightning transfer requests or phishing messages, which multiplies the number of victims. This turns an isolated incident into a chain infection in a family or corporate environment.
— The responsibility for reducing risks lies not only on the user, but also on the platform. Advertising networks should strengthen the moderation and filtering of offers, app stores should tighten the verification procedure for developers, and banks and operators should promptly respond to mass attacks and inform customers," said Anton Nemkin.
In the run—up to Black Friday, reasonable caution and a quick response to suspicious offers are the best protection against a "favorable discount" resulting in a loss of data and money, he added.
Yuri Shabalin, Director of Artificial Intelligence Technology Development at Swordfish Security, said that today about 70% of online commerce applications store data from third-party services without the necessary encryption — PIN codes, personal information and technical data for working with Push notifications, geolocation and other services. This can lead to the interception of application control, the sending of phishing links, the theft of databases or confidential keys.
To protect yourself, he recommends not following links from unverified emails, accessing the site directly when receiving discounts, enabling two-factor authentication, using virtual cards for purchases, and installing anti-phishing antivirus software. These measures help to reduce the risks of data theft and fraud.
Which fraud schemes are becoming a thing of the past
In general, the Coordination Center of the .RU/ domains.This year, the Russian Federation has recorded a decrease in the number of phishing domains imitating large Russian marketplaces on the Runet. So, within the framework of the Domain Patrol project, in September – October of this year, 960 domains were discovered imitating popular trading platforms — Avito, Ozon, Wildberries and Yandex Market, while in the same period of 2024 there were 1,315 such domains.
This fall, there was a surge in fake Wildberries sites — 770 phishing domains were identified in two months. While Avito was in the lead in 2024, 950 such domains were discovered during the same period, the center added.
The press service of the united Wildberries & Russ company told Izvestia that during the sales period they traditionally observe increased activity of various types of scams, including an increase in the number of phishing sites. However, according to their data, the number of such sites is gradually decreasing — this is because their security team is actively monitoring and promptly blocking fraudulent sites.
Avito and other large companies, in cooperation with the Central Bank, are working in the field of countering phishing as part of the anti-unfair practices program, added Natalia Yumatova, Senior Director for Trust and Security at the company's Moderation and Automation Support Department.
For example, you cannot send a phishing link in a chat, it will be blocked by the platform's algorithms. Over the past year, Avito has collaborated with BI.ZONE has improved the detection of phishing resources and reduced the time required to block such sites by 25%. The total number of phishing sites has decreased by 85% in five years, they stressed.
Переведено сервисом «Яндекс Переводчик»
