This story is part of a group of stories called
Uncovering and explaining how our digital world is changing — and changing us.
Someone claiming to be Kohl’s really wants to give me a beautiful orange Le Creuset dutch oven.
The email always says this is the chain department store’s second attempt to reach me, although I reckon it’s more like the 50th because I’ve gotten this email many, many times over the last few months. You probably have, too. Maybe it’s not from Kohl’s. Maybe it’s from Dick’s Sporting Goods or Costco. Whoever it claims to be from, the result is the same: You click on a link, fill out some kind of survey, and are asked to enter your credit card info to cover the cost of shipping your free Yeti cooler, Samsung Smart TV, or that Le Creuset dutch oven.
Those items will never come, of course. These emails are all phishing scams, or emails that pretend to be from a person or brand you know and trust in order to get information from you. In this case, it’s your credit card number. This latest campaign is particularly good at evading spam filters. That’s why you may have noticed so many of these emails in your inbox over the last several months. The fact that they got to your inbox in the first place as well as the realistic presentation of the emails and the websites they link to make them more convincing than the typical scam email. These attacks also usually ramp up during the holiday season. So here’s what you should watch out for.
“Grinch is getting security companies coal and blocked IPs for Christmas, and it’s resulting in more spam with domain hop architecture getting into your inboxes,” Zach Edwards, a security researcher, told Recode. Domain hop architecture is the series of redirects that route user traffic across multiple domains to help scammers hide their tracks and detect and block potential security measures.
Akamai Security Research identified the scam campaign in a recent report. The basic idea behind the scam itself — pretending to be a well-known brand and offering a prize in return for some personal information — isn’t new. Akamai has been following these kinds of grifts for a while. But this year’s version is new and improved.
“This is a reflection of the adversary’s understanding of how security products work and how to use them for their own advantage,” Or Katz, Akamai’s principal lead security researcher, said.
Basically, these scammers are deploying lots of technical tricks to evade scanners and get through spam filters behind the scenes. Those include (but aren’t limited to) routing traffic through a mix of legitimate services, like Amazon Web Services, which is the URL several of the scam emails I’ve received appear to link out to. And, Edwards said, bad actors can identify and block the IP addresses of known scam and spam detection tools, which also helps them bypass those tools.
Akamai said this year’s campaign also included a novel use of fragment identifiers. You’ll see those as a series of letters and numbers after a hash mark in a URL. They’re typically used to send readers to a specific section of a website, but scammers were using them to instead send victims to completely different websites entirely. And some scam detection services don’t or can’t scan fragment identifiers, which helps them evade detection, according to Katz. That said, Google told Recode that this particular method alone was not enough to bypass its spam filters.
“What we see in this recently released research is new and sophisticated techniques being used, indicating the evolution of the scam, reflecting on the adversary’s intention to make their attacks hard to be detected and classified as malicious,” Katz said. “And, as we can see, it is working!”
But you don’t see any of that. You just see the emails. At best, they’re annoying, and at worst, they could trick you into giving your credit card details to people who will presumably use that information to buy a lot of things on your tab. The fact that they’re in your inbox in the first place adds a veneer of legitimacy, and both those emails and the websites they send victims to look better and therefore might be more convincing than some typical phishing attempts. They also seem to change according to the season or time of year. Akamai’s examples, which it collected weeks ago, have a Halloween theme. More recent phishing emails send users to a website boasting of a “Black Friday Special.”
“The literal holiday banners are unique, so that’s a cool newish addition,” Edwards said.
And it’s all being deployed on an apparently massive scale, which is why most people reading this have probably gotten not just one of these emails, but an onslaught of them, extended over a period of months.
Or, as one of my co-workers said to me when she forwarded me an example of just one of the many scam emails she’s received in her Gmail inbox: “help.”
A spokesperson for Google told Recode that the company is aware of the “particularly aggressive” campaign and is taking measures to stop it.
“Our security teams have identified that spammers are using another platform’s infrastructure to make a path for these abusive messages,” they said. “However, even as spammers’ tactics evolve, Gmail is actively blocking the vast majority of this activity. We are in contact with the other platform provider to resolve these vulnerabilities and are working hard, as always, to stay ahead of the attacks.”
Google also recently put out a blog post warning users about common holiday season scams, and the fake giveaway was at the top of the list.
“Received an offer that looks too good to be true? Think twice before clicking any links,” Nelson Bradley, manager of Google Workspace Trust and Safety, wrote.
Google also noted that it blocks 15 billion spam emails every day, which it believes to be 99.9 percent of the spam, phishing, and malware emails its users are being sent. In the last two weeks, Bradley wrote, there’s been a 10 percent increase in malicious emails. To be fair, I think there are more fake Kohl’s giveaway emails sitting in my spam filter than in my inbox.
The spokesperson added that Gmail users can use its “report spam” tool, which helps Google better identify and prevent future spam attacks. Beyond that, the typical how to avoid getting phished tips still apply. Check the sender’s email address and the URL it’s linking out to. Don’t give out your personal information, especially not your account passwords or credit card numbers. Take a few seconds to think about why Kohl’s would just randomly decide to give you Le Creuset bakeware or Dick’s would give you a Yeti cooler worth hundreds of dollars just for answering a few basic survey questions. The answer is that they wouldn’t.
You could also just spend your Black Friday shopping for real items in real stores (or on their real websites) and giving your credit card details to real employees. Good luck out there; the Google spokesperson said the company expects that the scam campaign will “continue at a high rate throughout the holiday season.” So it’ll almost certainly continue even after Black Friday ends.