New Online Shopping Phishing Scams

Becky Mayse | January 23, 2017

A new type of phishing scam is targeting online shoppers, reminding us to be aware of how we interact with websites and that phishing attacks can come from many sources, not just email! 

The Enterprise Security team's mission is to improve the security awareness and profile of the university. We wanted to make you aware of this scam that could cause you loss as a consumer.

Sophos, a computer security news site, reported on this new type of phishing in a January 11 article titled Beware Phishing Scams in Amazon Listings (viewable online at https://nakedsecurity.sophos.com/2017/01/11/beware-phishing-scams-in-amazon-listings).  The article discusses an attack that utilizes links or follow up emails that look convincingly like the intended online merchant but are malicious third party websites.

I recently spotted a similar scam on a popular online merchant’s website and tried it out (in a safe way, don’t try this at home!) for myself so I can tell you more about it.  Here’s what happened:

  1. I found a deeply discounted used item with a phone number in the description field that says to text to confirm item condition.
  2. When I sent the text an auto-reply message appeared giving me an email address and telling me to send a link to the item I’m interested in to the address.
  3. I emailed the address and received back a message assuring me that the item was available, brand new, and that to proceed click a “Buy Now” button.
  4. The “Buy Now” button opened a malicious website that was a spoof of an actual merchant’s website.

These scams are all operating the same way. They’re focused on leading the customer away from merchant’s website, thus bypassing security controls in place for the online merchant. 

When shopping online remember to watch the URL closely and avoid direct, off-website communication with sellers and merchants.  When shopping from third-party sellers on sites like Amazon or eBay the best way to communicate is via website messaging offered by these services (use the “ask a question” link).

Quick Steps:

  • Use built in messaging functionality on shopping websites to communicate with sellers.
  • Be careful of URLs.
  • If you think you’ve been a victim of a scam, get help!  Contact the legitimate websites customer service.  If it’s related to OSU operations, please reach out to your local IT Help Desk or 8Help.

Remember, if a deal sounds too good to be true it’s probably a scam!

Tags: 
security, cybersecurity, enterprise security, phishing, threat intelligence