In 2024, cybercriminals launched over 38 million phishing attacks, impersonating major marketplaces, banks, and tech retailers. Stolen payment card data is actively traded on dark web forums, with prices ranging from $70 to $315 per set.
Kaspersky closely monitors the evolving landscape of shopping-related cyber threats. As shoppers prepare for major sales events like Black Friday in search of the best deals, the company’s researchers observe cybercriminals and fraudsters gearing up to exploit this demand, attempting to steal personal data, funds, and spread malware through deceptive shopping lures.
Between January and November 2024, Kaspersky solutions blocked 38,473,274 phishing attacks related to online shopping, payment systems, and banking institutions. Of these, 44% involved using banking services as bait — representing an increase of almost a quarter compared to the 30,803,840 million phishing attempts recorded during the same period last year.
Scammers frequently impersonate major retailers like Amazon, Walmart, and Etsy, sending deceptive emails claiming to offer exclusive discounts. These emails link to fake websites designed to mimic legitimate ones, often with subtle errors like misspellings or slightly altered domain names. Victims attempting to shop on these sites typically lose money.
Another widespread scam exploits consumers' desire to win prizes. Fraudsters send messages promoting limited-time surveys with prize draws, offering valuable rewards like a free iPhone 14. To create urgency, they claim only a few “chosen” users can access the deal, pressuring recipients to act quickly. Scammers offer a “reward” for sharing some “basic info," such as an email address, and spending some money on a fake site.
Kaspersky experts have traced the pathways of fraudulent activity, revealing that stolen data is either exploited directly by scammers or sold on dark web marketplaces. The value of the data determines its price. For instance, comprehensive sets of stolen credit card details, known as "fullz," typically include the card number, expiration date, CVV code, cardholder’s name, billing address, and phone number.
An example of a dark web ad selling user shopping
data. Retrieved with Kaspersky Digital Footprint Intelligence
"This year, dark web markets mirror the pricing strategies and marketing tactics of legitimate online retailers. Some even offer Black Friday-style promotions, such as discounts and bundled deals, similar to seasonal sales found on mainstream websites," comments Marc Rivero, lead security researcher at Kaspersky's Global Research and Analysis Team.
Within this campaign, a seller was offering a 10% discount on stolen credit card details from countries like Canada, Australia, Italy, and Spain – with pricing between $70 and $315 for a card depending on the card's quality and the region it was from.
To learn more about shopping threat landscape in 2024, visit Securelist.com.
To enjoy the best that Black Friday has to offer this year, be sure to follow a few safety recommendations:
- Do not trust any links or attachments received by mail; double-check the sender before opening anything.
- Double-check e-shop websites before filling out any information: is the URL correct? Are there any spelling errors or design bugs?
- Protect all the devices you use for online shopping with a reliable security solution. Kaspersky Premium protects its users from various shopping scams.
- If you want to buy something from an unknown company, check reviews before making any decision.
- Despite taking as many precautions as possible, you probably won’t know something is amiss until you see your bank or credit card statement. So, if you’re still getting paper statements, don’t wait until they hit your mailbox. Log in online to see if all of the charges look legitimate – if not, contact your bank or credit card company immediately to fix the situation.
