As U.S. consumers prepare for the Black Friday and Cyber Monday shopping bonanzas, threat management firm RiskIQ is warning that one in 25 Black Friday-themed mobile apps is fake.
Not only are four percent of the 4,356 Black Friday-themed apps found to be malicious, but some 32,000 malicious mobile apps make use of branding from the top five online retailers, according to RiskIQ’s 2017 Black Friday E-Commerce Blacklist. These apps are used to extract credit card information, Facebook or Gmail credentials, or download malware or ransomware.
The prize of credit card information from frenzied Black Friday shoppers represents an attractive target for cybercriminals, as sales last year topped $9.36 million (per Adobe), and RiskIQ notes that totals for this year will reach $10.8 billion if they increase by the same 16.4 percent rate as they did from 2015 to 2016.
For each of the top five brands there are at least 15 malicious apps available using their name with the term “Black Friday,” and there are 1,451 blacklisted URLs containing “Black Friday” along with their branded terms, as malicious actors target shoppers on both desktop and mobile devices.
One encouraging note in the report is that 40 percent fewer blacklisted apps were found in Q2 than in Q1, possibly reflecting increased awareness among consumers and app store owners.
RiskIQ compiled the blacklist with its exclusive virtual user technology and correlation method analytics to identify threats among the more than 2 billion HTTP requests, 20 million mobile apps, and 300 million domain records.
Hackers are also employing relatively sophisticated techniques, leveraging tools such as stolen code-signing certificates, which sell on the dark web for up $1,200, an investment that criminals may be willing to make considering the enormous potential for profit at the expense of holiday shoppers.