15 Holiday Phishing Attacks

'Tis the season for holiday shopping, Christmas carolers and malware? Like it or not, hackers are already playing Santa by sending spam and launching phishing attacks that capitalize on user's lack of time and open wallets. And unfortunately, many generous and unknowing victims will end up surrendering their identities and credit card numbers. So avoid getting a lump of coal in your stocking by watching for these 15 holiday scams.

Attackers will be taking advantage of users' lack of time coupled with their desire to find unique gifts at an affordable price. And personalized kitchen towels and mugs, like in this spam ad provided by Sophos, might be just the thing to entice users to download malware or submit personal information. However, be suspicious of unsolicited online ads, especially if the ads contain links that redirect you to a different site. Instead, take a few minutes and do some pro bono research on the organization making the offer. Or better yet, save yourself the trouble and just delete unsolicited spam from you inbox.

Of course, no holiday season is complete without personalized greeting cards, like this image, submitted by Kaspersky Lab. But while the colorful images of personalized holiday greeting cards look festively legitimate, they're actually linked to a spamming site. In reality, visitors stand a good chance of receiving bogus products, if they get anything at all, as well as losing credit card information. To avoid this kind of hassle, delete all unsolicited e-mails from unfamiliar sources, and instead go directly to a trusted site for online holiday shopping.

It's a known fact that people have less money this holiday season to spend on brand names than they did last year. However, hackers know this too. Subsequently, attackers will capitalize on users need to cut costs with offers like this one, provided by Sophos, which touts luxury replica watches at a fraction of the original price. It might seem tempting, but all users will likely get once they click on the embedded link will be information-stealing malware, and not a designer watch knock-off.

True to form, spammers and scammers will also capitalize on the weak economy. And some cash-strapped victims will be all too tempted by solicitations of easy and fast money made over the Internet, with minimal work required. As such, victims will likely see more scams, such as this one provided by Symantec, offering users the chance to earn high commissions by "selling products from home" throughout the holiday season. Of course, in reality, these ads are scams, intended to elicit money and personally identifying information from users, with no guarantees of a return. Remember, if it appears too good to be true, it probably is. Meanwhile, video downloads embedded in this kind of spam often will download malicious code designed to steal information and take over users' computers. And no matter how good a deal it seems, no one can afford that.

Users will be looking for cute holiday surprises. And what better way to wow your kids than with a letter from Santa? In this case, there are lots. Users might be tempted to click on the embedded links contained in the e-mail for a chance to buy three "personalized" letters from Santa. However, this e-mail message, provided by Symantec, is partly a scam, designed to snare personal and financial information from victims, and the links will likely lead to malicious sites designed to download malware onto users' systems. Avoid buying anything advertised via e-mail, and instead go directly to a trusted site.

There are lots of clues that giveaway the fact that this spam e-mail, provided by Symantec, is a scam, not the least of which is poor grammar. Plus, the $5.5 million giveaway seems a little absurd as well. Hackers and phishers use this kind of identifying information to break into users' personalized accounts to steal login credentials and possibly gain access to financial accounts such as PayPal and banking accounts, while certainly using the e-mail address to infiltrate users' inboxes and send more spam. As always, avoid providing any personal information -- no matter how benign it may seem -- via e-mail, especially if it's in response to an unsolicited or unknown sender.

As usual, hackers will use holiday e-cards as a tool to distribute malware and steal information, especially if the e-card appears to come from someone the user knows. It's hard to resist clicking on a link that promises to offer sentimental holiday cheer. However, the embedded links likely will redirect a user to a malicious site that downloads malware.

As in this scam, provided by McAfee, hackers will use trusted brand names such as Hallmark to legitimize their spam e-mail. Consequently, resist opening e-cards, even if they appear to be from a familiar or trusted source.

Most definitely, attackers will be capitalizing on users' budget-minded concerns for their holiday gift ideas. As such, users will likely see more spam ads, such as this one provided by McAfee, for cheap merchandise such as jewelry and watches. But all too often, these ads promise a bogus product or are phishing scams designed to steal submitted credit card and personal information. Rule of thumb -- no deal, no matter how enticing, is worth your losing your identity.

With so many gifts purchased online throughout the holidays, attackers will have no compunction about capitalizing on users' fears about credit and payment failures. In this example, submitted by SonicWall, hackers create a fake alert from the Electronic Payments Association, warning that a payment was rejected, while advising the victim to click on a link to view his or her report. In all likelihood, the embedded link is infected and will lead a user to a malicious Web page that distributes malware. Credit woes during the holiday season might be very real. But keep in mind that most legitimate organizations will find other ways to contact a user than e-mail. Instead of clicking on an unknown link, call the credit agency or organization directly.

With Christmas around the corner, New Year's scams are never far off. Hackers will also be promoting a wide variety of New Year's sales, like this one, provided by Kaspersky Lab. Even more enticing are offers for significant discounts on typically high dollar items, such as Photoshop software. However, the offer is likely bogus at best, and malicious at worst. Of course, some of the grammatical errors in the text should be a dead giveaway that this offer is a scam, along with the fact that it is not sent from Adobe e-mail address. But perhaps the hackers were banking on users being so eager to save money on the latest Adobe Photoshop software that they wouldn't notice.

Phishers continue to send spam phishing attacks by sending minimalist messages containing a few words or sentences, coupled with a link. In this attack, submitted by Kaspersky Lab, hackers are banking that cash-strapped users will be enticed by the prospect of winning a holiday bonus, while ignoring the fact that the e-mail is CC'd to an address with a Russian domain. But instead of a $200 bonus, users will only get malware downloaded onto their computers. Remember, there is no such thing as a free lunch, and that adage especially holds true during the holidays.

Spam is rarely, if ever, included on people's holiday wish lists. But that doesn't stop attackers. Sometimes attackers take out full page, four-color ads -- like in this example, sent by Kaspersky Lab. Spammers are advertising big sales on Christmas Trees, along with a slew of other products. However, users will quickly find that the Garden Ridge ad is spamming site, created by hackers to trick users into submitting credit card and other personal information, while gaining access to contact lists in order to distribute more spam. Word to the wise, avoid the hassle of spam altogether and delete any that grace your inbox.

The pretty Christmas ornaments look tempting, but once again, this is a spamming site. Users who purchase the offered merchandise will likely end up getting a bogus product, if any at all, while risk losing credit card and personally identifying information. They will most definitely set themselves up to receive more spam. And no one wants that for Christmas.

In light of the broken English and misspellings, this phishing attack might seem obvious. But users will still be tempted to click on the provided links, either to participate in the auction site or to allegedly "unsubscribe" from the e-mail list. Don't. Needless to say, victims are not going to win any bid, but instead get a big dose of malware. The best thing you can do is delete this attack.

In an effort to convince their children that Santa Claus is indeed real, some parents may be tempted to invest in personalized letters from the big guy. Don't. This advertisement is spam, likely designed to obtain credit card numbers and access your e-mail account and contact lists to send more spam. The best advice would be to forego the flashy stationary, save some money and write a truly "personalized" letter yourself.