Black Friday is now behind us, but don’t expect this Cyber Monday to be off the radar when it comes to those looking to scam you, hack your online accounts and generally make the online sales the kind of experience you won’t want to remember. Criminal marketplaces have sales the same as any legitimate retail operation, but the items on offer are far from legal: phishing exploit kits, fake websites, cookie grabbers and, most dangerous of all, 2FA-bypassing session cookies by the millions. Here’s what you need to know.

Hackers Can Buy Everything They Need To Make Your Cyber Monday A Misery On The Dark Web

The busiest period of online shopping, during which the most money changes hands, continues to focus on November and December around the Black Friday and Cyber Monday sales, according to the most recent statistics. Unfortunately, for the scammers and hackers looking to exploit the online shopping frenzy following Thanksgiving, it’s also a hectic time. This spells nothing but trouble for shoppers as the phishing threat continues to evolve while also becoming easier, and cheaper, than ever to execute. Much of the reason for this can be traced back to the dark web, and the underground criminal marketplaces that trade within it, where all the tools required to open up this type of criminality are laid bare for anyone with the cryptocurrency to purchase it. When I say all the tools, I mean it: exploit kits, cloned website shops, phishing-as-a-service plans, two-factor authentication bypass cookies and tutorials on how to use them all. New analysis from NordStellar threat intelligence has revealed just how much, or should I say how little, it costs to join the criminal underbelly of online sales exploitation.

The Cost Of Cyber Monday Hacking Tools On The Dark Web In 2024

“Phishing kits are usually free, fake website layouts start at $50, and malware-as-a-service subscriptions cost about $150 monthly,” Adrianus Warmenhoven, a cybersecurity expert at NordVPN said, “the priciest items, such as cookie grabber pages, cost $400 or more.” Considering the time of year, however, it’s only apt that “you can also find discounts for these items,” according to Warmenhoven. Statistics suggest that as many as 84% of those targeted by phishing scams that employ fake shopping websites will engage with it, and just under half of those will lose money as a result.

Such fake pages will often include “card verification details and strong anti-bot systems,” Warmenhoven warned, “additionally, they are designed to block website scanning and have the capability to bypass one-time password and 2FA systems.”

The latter explains why what are known as cookie grabber pages are among the most expensive seen on these criminal marketplaces, with $400 being a rock-bottom cost. “These pages are specifically crafted to capture cookies from a user’s browser or social media platforms,” Warmenhoven said, “which hackers can then use for nefarious purposes.”

This kind of session cookie theft, and onward sale, is seen as the holy grail within the phishing community as it enables the criminals to gain full access to an account or service without having to worry about login credentials or 2FA codes—the session has already been authorized and the service thinks it is you using it as a result.

30 Million Session Cookies To Bust Cyber Monday 2FA Found For Sale

The NordStellar analytics found that there were more than 54 billion cookies for sale in total on the dark web. However, digging down into the detail revealed the really scary statistics: 154 million were listed as being authentication cookies, with 23.5 million still active, and 37 million listed as login cookies with 6.6 million active. That’s 30 million session cookies than can be used to bypass two-factor authentication on live sales offered for sale in the run up to the busiest online shopping period of the year.

A Google spokesperson said there are “numerous protections to combat such attacks, including passkeys, which substantially reduce the impact of phishing and other social engineering attacks.” Such security keys are known to be a stronger protection against “automated bots, bulk phishing attacks, and targeted attacks than SMS, app-based one-time passwords, and other forms of traditional two-factor authentication,” according Google. As such, beyond the obvious advice of not getting fooled, which is easier said than done or nobody would fall victim to a phishing attack, you should consider replacing your passwords with a passkey where available before you shop this Cyber Monday and afterwards.

Share.
Exit mobile version