Anyone claiming to be Kohl’s really wants to give me a nice orange Le Creuset dutch oven.
The email always says this is the chain department store’s second attempt to reach me, although I think it’s more like the 50th because I’ve received this email several times over the past few months. You probably have, too. Maybe it’s not from Kohl’s. Maybe it’s from Dick’s Sporting Goods or Costco. From what it claims, the result is the same: you click on a link, fill out some kind of survey, and get your free Yeti cooler, Samsung smart TV, asked to enter your credit card information to cover the cost of shipping. Or that Le Creuset Dutch oven.
Those items must not arrive. These emails are all phishing scams, or emails that are from a person or brand you know and trust to get information from you. In this case, it’s your credit card number. This latest campaign is especially good at avoiding spam filters. That’s why you’ve noticed so many emails like this in your inbox over the past few months. The fact that they landed in your inbox in the first place as well as the realistic presentation of the emails and the websites they link to makes them more credible than typical scam emails. These attacks usually increase during the holiday season. So here’s what you should watch out for.
“Grinch security firms are getting coal and blocking IPs for Christmas, and that’s causing more spam with domain hop architecture to arrive in your inbox,” Jack Edwards, a security researcher, told Recode. Domain hop architecture is a series of redirects that route user traffic across multiple domains to help scammers hide their tracks and potentially detect and block security measures.
Akamai Security Research identified the scam campaign in a recent report. The basic idea behind the scam – pretending to be a well-known brand and offering a reward in exchange for some personal information – is not new. Akamai has been pursuing this kind of grift for a while. But this year’s version is new and improved.
“It’s a reflection of the adversary’s understanding of how security products work and how to use them to their own advantage,” said Wa Katz, Akamai’s principal security researcher.
Basically, these scammers are deploying a lot of technical tricks to avoid scanners and get through spam filters behind the scenes. This includes (but is not limited to) routing traffic through a mix of legitimate services, such as Amazon Web Services, which appear to be linked in the scam emails I received. And, Edwards says, bad actors can identify and block IP addresses of known scam and spam detection tools, which helps them bypass those tools.
Akamai said this year’s campaign also includes a novel use of fragment identifiers. You’ll see them as a series of letters and numbers followed by hash marks in a URL. They are typically used to send readers to a specific section of a website, but scammers use them instead to send victims to a completely different website entirely. And some scam detection services don’t or can’t scan fragment identifiers, which helps them avoid detection, according to Katz. That said, Google told Recode that this particular method alone isn’t enough to bypass its spam filters.
“What we see in this recently published study is that new and sophisticated techniques are being used, indicating the evolution of scams, reflecting the intent of adversaries to make their attacks harder to detect and classified as malicious,” Katz said. “And, as we can see, it’s working!”
But you don’t see any of it. You just see the email. At best, they’re annoying, and at worst, they can trick you into giving out your credit card details to people who will likely use that information to buy a lot of stuff on your tab. The fact that they’re in your inbox in the first place adds a veneer of legitimacy, and makes those emails and the websites they send them look better and therefore more credible than some simple phishing attempts. They seem to change according to the season or time of year. Akamai’s example, which it collected weeks ago, has a Halloween theme. Recent phishing emails send users to a website boasting “Black Friday specials.”
“The literal holiday banners are unique, so this is a great new addition,” Edwards said.
And it’s all being deployed on a seemingly massive scale, which is why most people reading this probably received not one of these emails, but one of their attacks, stretched over months.
Or, as a colleague of mine told me when he forwarded me an example of one of the many scam emails he received in his Gmail inbox: “Help.”
A Google spokesperson told Record that the company is aware of the “particularly offensive” campaign and is taking steps to stop it.
“Our security teams have identified that spammers are using other platforms’ infrastructure to create a path for these abusive messages,” they said. “However, even as spammers’ tactics evolve, Gmail is actively blocking much of this activity. We are contacting other platform providers to address these vulnerabilities and are always working hard to stay ahead of attacks.”
Google also recently posted a blog post warning users about common holiday season scams and fake gifts topped the list.
“Got an offer that looks too good to be true? Think twice before clicking any links,” wrote Nelson Bradley, manager of Google Workspace Trust and Safety.
Google also noted that it blocks 15 billion spam emails every day, which it believes is 99.9 percent of spam, phishing and malware emails sent by its users. In the past two weeks, Bradley wrote, there has been a 10 percent increase in malicious emails. To be fair, I think there are more fake Kohl’s giveaway emails sitting in my spam filter than in my inbox.
The spokesperson added that Gmail users can use its “spam report” tool, which helps Google better detect and prevent future spam attacks. Beyond that, how to avoid getting phished tips still applies. Check the sender’s email address and the URL it’s linking to Do not give out your personal information, especially your account password or credit card number. Take a few seconds to think about why Kohl’s would decide to randomly give you Le Creuset bakeware or Dick’s would give you hundreds of dollars worth of Yeti coolers for answering a few basic survey questions. The answer is they won’t.
You can only do your Black Friday shopping in real stores (or on their real websites) to shop for real items and give your credit card details to real staff. Good luck there; A Google spokesperson said the company expects scam campaigns to “continue at a high rate throughout the holiday season.” So it will almost certainly continue after Black Friday is over.