Podcast promotional image for "Breaking Badness" episode 196, titled "Merry Click-Mas: Beware the Scams!" features three smiling hosts against a blue gradient background. Dive into the festive season's scams while exploring the battle for digital privacy in this intriguing episode!
Breaking Badness
Breaking Badness

The Rise of Holiday Scams and State-Sponsored Cyber Threats

Introduction

In this episode of Breaking Badness, we delve into the cybersecurity trends shaping the holiday season. We unpack the 60% surge in scam domain registrations targeting holiday shoppers, discuss the tactics of TAG-112, a Chinese state-sponsored threat group, and analyze their use of compromised websites to deliver Cobalt Strike malware. Plus, we share actionable insights on mitigating these threats. Tune in for expert analysis, lighthearted banter, and a few cybersecurity holiday tips to keep you safe this season!


Scam Domain Registrations: A Holiday Epidemic

“Retail scamming is a year-round hobby for some people,” – Tim Helming, capturing the evergreen nature of these threats.

Holiday shoppers are prime targets for scammers, and recent research highlights a 60% spike in scam domain registrations. These fake domains impersonate major retailers like Walmart, Amazon, and Target, using enticing offers and counterfeit websites to steal credentials and financial data.

  • Domain Freshness: Older domains can be just as dangerous as newly registered ones. As Tim explained, “It’s not like food where it starts to go stale and then becomes poisonous.”
  • Red Flags for Consumers: Be wary of domain names containing terms like “secure,” “update,” or “discount,” as these are commonly used by scammers to appear legitimate.

Mitigation Tips:

  • Use tools like Iris Investigate to monitor and analyze suspicious domains.
  • Educate consumers on identifying phishing lures and encourage skepticism toward unsolicited messages.

TAG-112: The Return of Evasive Panda

The episode transitions to a deep dive into TAG-112, a Chinese state-sponsored group targeting Tibetan community websites. Their methods included exploiting vulnerabilities in Joomla CMS to deliver Cobalt Strike malware.

Attack Overview:

  • Targets: The Tibetan Post and a university site linked to Tibetan studies. ● Tactics: Watering hole attacks embedding malicious JavaScript that prompts users to download a “security certificate,” which in reality delivers malware.
  • Connection to TAG-102: TAG-112 is considered a subset of the more advanced TAG-102, aka “Evasive Panda.”

● Connection to TAG-102: TAG-112 is considered a subset of the more advanced TAG-102, aka “Evasive Panda.”

“They’re aging malicious domains like fine wines,” joked Tim, highlighting how attackers use aged domains to bypass security filters.

Mitigation Recommendations:

  • Regularly update and patch CMS platforms like Joomla.
  • Monitor traffic for unusual activity using threat intelligence platforms.
  • Train users to identify suspicious prompts, especially around fake certificate downloads.

The Holiday Cybersecurity Playbook

The team discusses practical steps for consumers and businesses to stay ahead of threats during the holiday season.

For Consumers:

  • “Don’t drink and click,” advises co-host Kali Fencl, echoing the importance of cautious online behavior.
  • Verify websites before making purchases by checking for HTTPS and reputable payment gateways.

For Businesses:

  • Proactively monitor domain registrations containing brand names.
  • Consider adopting defensive domain registrations to prevent malicious actors from exploiting your brand.
  • Clearly communicate with customers about legitimate communication methods to prevent phishing success.

As holiday shopping heats up, so do the efforts of cybercriminals. Whether you’re a consumer or a business, staying vigilant and informed is key to navigating these seasonal threats. Catch the full episode to learn more about how to protect yourself and your organization.


Watch on YouTube


That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!