The big shopping frenzy and the deals, discounts and offers that are part of all major festivals like Diwali, Dussehra or Christmas are enormous business opportunities for cybercriminals, too. These fraudsters thrive on robbing shoppers by luring or diverting them to fake or imitation websites or WhatsApp messages with incredible offers. In fact, the bigger the offer, the more likely it is to trigger a shopper's greed. In recent weeks, people have been duped by 1:1 free phone offers and even television sets of known brands at half the price.
Cybersecurity researchers at CloudSEK have discovered a sharp surge in malicious campaigns that use 'Diwali' and 'pooja' domains to scam users this festive season via e-commerce websites. They uncovered about 828 unique domains from the Facebook ads library that were being used for phishing campaigns.
"This year, there has been a steep spike in the hosting of fake domains for online shopping scams. These scams can further escalate into financial frauds, where hackers can impersonate customer representatives from various organisations, exploiting the gullibility of innocent victims," says Rishika Desai, lead cyber intelligence at CloudSEK.
These unique domains are formed by typo-squatting techniques to bring legitimacy to less technologically advanced audiences. For instance, shop.com was impersonated as shoop.xyz with the same features and content as the original website.
Domains having keywords like Diwali and pooja are found to be hosted on a Hong Kong-based ASN by Megalayer Technologies. These domain links were redirected to different Chinese betting pages. The website was created about a month ago and redirects to multiple gambling sites such as Bet365 and MGM, CloudSEK says.
Various malicious users on Facebook and other relevant social media channels also mislead other users by asking them to register on unreliable cryptocurrency websites.
One example is BotBro which lures consumers to untrustworthy crypto platforms by providing free life insurance for up to Rs1 crore and five TLC coins.
An e-commerce website selling jewellery registered on 3rd October was found to be requesting users to download an application embedded with an Android Trojan, and it had the 'Diwali' keyword in its domain name, CloudSEK says.
Another technique used by cybercriminals to dupe people is sending special 'Diwali' gifts via WhatsApp messages, SMS or email. All these messages have a link to download the special gift. Gullible people find their brains not working after seeing 'free gift' or 'special Diwali gift' messages, and inadvertently, they end up opening the link.
Almost all dubious links in these gift messages have Chinese [.cn] domains or extensions such as .top, .xyz. What is more dangerous is the use of short URLs by fraudsters which allows them to hide original links. Most people click on the short URLs out of curiosity to know who the gift sender is or what the gift is.
Unfortunately, these attack campaigns can effectively jeopardise the privacy and security of sensitive customer data and result in financial fraud.
A strict rule, especially if you received any short URL, is never to open it. In the rare case you want to open the link out of curiosity, visit wheregoes.com or checkshorturl.com. Both websites offer a free tool that tracks the URL to its destination.
To avoid becoming a victim of a free festival gift scam, it is essential to be cautious and follow a few guidelines.
Here are some suggestions...
1. There is no free lunch. Similarly, nobody offers free gifts for Diwali or any other festivals. Especially legitimate businesses or companies do not reach out randomly to provide free gifts through chat apps (like WhatsApp or Telegram), SMS or emails. So, be sceptical if you receive any such communication offering a special or free gift.
2. Check and verify the source that sent you the communication. If the message mentions the name of a big company or e-commerce site, then visit their authentic websites and find out if they are, indeed, running a gift campaign.
3. Pay attention to the text in the communication. Generally, messages that contain spelling or grammar mistakes, generic greetings, or requests for personal information are indicators of a scam.
4. Never click on the link in the communication or download anything by opening the link. Opening such links often leads to phishing sites or downloading malware on your mobile device or computer system.
5. Do not believe in social media accounts that are offering free gifts. Ask yourself, why would anyone offer a free gift to a random or unknown person on social media? Remember, fraudsters can easily set up fake profiles on social media to lure people and wipe it out clean if they are caught.
6. Never share sensitive personal information like identification details (Aadhaar, PAN card, driving licence), bank account and credit card details, passwords and one-time passcodes (OTPs) in response to unsolicited offers. Legitimate organisations will not ask for such information in exchange for free gifts.
7. Always visit official channels or contact the company or business directly if you are interested in availing of their promotional offer.
8. Use a good quality anti-virus (several free apps provide good protection) for protection from viruses, malware, ransomware and remote access.
By staying vigilant and following these suggestions, you can reduce the risk of falling victim to rampant free gift scams.
Stay Alert, Stay Safe.
How To Report Cyber Fraud?
Do report cybercrimes to the National Cyber Crime Reporting Portal http://cybercrime.gov.in
or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c).
If the fraud is related to your bank account, you need to immediately send an email to the official email ID of your branch (you can find it on the bank's website or your passbook) with a copy to the bank's customer care. Even if you have called the official number for customer care, you must still send an email describing your conversation with the bank executive, along with the time, date, and duration of the call. This will be helpful if you face a liability issue with the bank.