Skip to main content

Hackers target your holiday shopping with new phishing scam

It’s easy to get fooled by this new and devious, holiday-themed phishing attack that offers free prizes. But the old caution that “if it sounds too good to be true, it probably is” continues to be proven correct in this case.

What makes this trick so effective is the elaborate methods used to conceal its nefarious purpose and to reassure you, the potential victim, that it’s perfectly OK to proceed. This phishing attack has actually been active since September and is ongoing, targeting holiday shoppers seeking special offers.

Woman using a laptop next to a latte.
Image used with permission by copyright holder

The attack was identified by Akamai and was recently reported on Scam Watcher, where screenshots were also shared, as noted by Bleeping Computer. The carrot that’s dangled is a free gift that is nice, but not so expensive as to be unbelievable. For example, a Yeti Hopper M20 Backpack Cooler was supposedly offered as an incentive to complete a survey.

For those wary of such gifts, scrolling down a bit reveals fake testimonials from people who have supposedly finished the survey and received their reward with no trouble whatsoever. If you were tempted by the gift, this might give you enough reassurance to proceed. There’s one more chance to back out, however.

To receive the free gift, you have to supply your mailing address, which is valuable to scammers. Then there’s the issue of shipping. Since the gift is free, you might not mind paying for shipping. All of this information is easy to enter with your iPhone or Android phone using autofill and it takes seconds to complete the process, nothing compared to the time you’ve already sunk into checking out the freebie, reading testimonials, and taking the survey.

Here's an example of a prize giveaway phishing scam.
Scam Watcher

The technical details of this phishing scam are complex and the attack redirects through multiple websites and uses unique website addresses each time, making it difficult to trace back to the perpetrator and shut it down. The best thing for you to do is to use caution and to be very skeptical of these free offers. It’s probably not worth the risk of identity theft, not to mention the financial cost.

Alan Truly
Alan is a Computing Writer living in Nova Scotia, Canada. A tech-enthusiast since his youth, Alan stays current on what is…
This Bing flaw let hackers change search results and steal your files
The new Bing preview screen appears on a Surface Laptop Studio.

A security researcher was recently able to change the top results in Microsoft’s Bing search engine and access any user’s private files, potentially putting millions of users at risk -- and all it took was logging into an unsecured web page.

The exploit was discovered by researcher Hillai Ben-Sasson at their team at Wiz, a cloud security firm. According to Ben-Sasson, it would not only allow an attacker to change Bing search results but would also grant them access to millions of users’ private files and data.

Read more
This major Apple bug could let hackers steal your photos and wipe your device
A physical lock placed on a keyboard to represent a locked keyboard.

Apple’s macOS and iOS are often considered to be more secure than their rivals, but that doesn’t make them invulnerable. One security team recently proved that by showing how hackers could exploit Apple’s systems to access your messages, location data, and photos -- and even wipe your device entirely.

The discoveries were published on the blog of security research firm Trellix, and will be of major concern to iOS and macOS users alike, since the vulnerabilities can be exploited on both operating systems. Trellix explains that Apple patched the exploits in macOS 13.2 and iOS 16.3, which were released in January 2023, so you should update your devices as soon as you can.

Read more
Hackers just stole LastPass data, but your passwords are safe
A physical lock placed on a keyboard to represent a locked keyboard.

The developers behind password management software LastPass have just shared some concerning news: Bad actors were recently able to access “elements of our customers’ information” in a recent security breach.

It’s the second time in just a couple of months that LastPass has suffered a security incident, and it appears the two events are directly linked. That’s because LastPass’s developers say that the unauthorized party was able to access customer data “using information obtained in the August 2022 incident.”

Read more