Why you’re getting all those Yeti cooler giveaway scam emails in your Gmail inbox | Pages Da

Someone claiming to be Kohl’s really wants to give me a beautiful orange Le Creuset dutch oven.

The email always says this is the department store chain’s second attempt to reach me, although I think it’s more like the 50th because I’ve gotten this email many, many times over the past few months. You probably have too. It might not be from Kohl’s. Maybe it’s from Dick’s Sporting Goods or Costco. Whoever it claims to be from, the result is the same: You click a link, fill out some kind of survey, and are asked to enter your credit card information to cover the shipping cost of your free Yeti cooler, Samsung Smart TV, or Dutch oven from Le Creuset.

An example of a phishing email claiming to be from Kohl's.  It features a set of Le Creuset cookware and says:

Spoiler alert: There is no “fantastic prize” waiting for you on the other side of this scam email.

Of course, those things never come. These emails are all phishing, or emails pretending to be from a person or brand you know and trust to get information from you. In this case, it’s your credit card number. This latest campaign is particularly good at avoiding spam filters. That’s why you may have noticed so many of these emails in your inbox over the past few months. The fact that they arrived in your inbox in the first place and the realistic presentation of the emails and the websites they link to make them more convincing than the typical scam email. These attacks usually increase during the holiday season as well. So here’s what you should watch out for.

“The Grinch is getting security companies coal and blocked IP addresses for Christmas, and that’s resulting in more domain-hop architecture spam entering your inboxes,” security researcher Zach Edwards told Recode. Domain hop architecture is the series of redirects that route user traffic across multiple domains to help fraudsters cover their tracks and detect and block potential security exploits.

Akamai Security Research identified the fraud campaign in a recent report. The basic idea behind the scam itself – pretending to be a well-known brand and offering a price in exchange for some personal information – is not new. Akamai has been following these types of woes for a while. But this year’s version is new and improved.

“This is a reflection of the adversary’s understanding of how security products work and how to use them to their own advantage,” said Or Katz, Akamai’s chief security researcher.

An example of a scam message pretending to be from Costco.  It shows a woman in a yoga pose in front of a big screen TV and it says

Sorry, but you have to buy a Samsung TV from Costco just like everyone else. This survey is only trying to steal your credit card information.

Basically, these fraudsters use lots of technical tricks to avoid scanners and get through spam filters behind the scenes. These include (but are not limited to) routing traffic through a mix of legitimate services, such as Amazon Web Services, which is the URL of several of the scam emails I’ve been given seem to link to. And, Edwards said, bad actors can identify and block the IP addresses of known fraud and spam detection tools, helping them bypass those tools as well.

Akamai said this year’s campaign also included a new use of fragment identifiers. You see them as a series of letters and numbers after a hash mark in a URL. They are usually used to send readers to a specific part of a website, but fraudsters used them to send victims to completely different websites instead. And some fraud detection services do not or cannot scan fragment identifiers, which helps them avoid detection, according to Katz. That said, Google told Recode that this particular method alone wasn’t enough to bypass its spam filters.

“What we see in this newly released research are new and sophisticated techniques being used, indicating the evolution of the scam, which reflects the adversary’s intent to make their attacks difficult to detect and classified as malicious,” Katz said. “And as we can see, it works!”

But you don’t see any of that. You only see the emails. At best, they’re annoying, and at worst, they can trick you into giving your credit card information to people who will probably use that information to buy a bunch of stuff on your tab. The fact that they are in your inbox in the first place adds a veneer of legitimacy, and both these emails and the websites they send to victims look better and therefore can be more convincing than some typical phishing attempts. They also seem to change depending on the season or time of year. Akamai’s example, which it collected weeks ago, has a Halloween theme. More recent phishing emails send users to a website boasting a “Black Friday Special.”

“The literal holiday banners are unique, so that’s a cool new addition,” Edwards said.

An example of a scam website claiming to offer a prize from Dick's Sporting Goods.  It features a picture of a Yeti cooler and reads:

Dick’s Sporting Goods is not giving away a Yeti Cooler, even if you complete a survey.

And it’s all distributed on an apparently massive scale, which is why most people reading this have probably received not just one of these emails, but an onslaught of them, spanning a period of months.

Or, as one of my co-workers told me when she forwarded me an example of just one of the many scam emails she’s received in her Gmail inbox: “help.”

A Google spokesperson told Recode that the company is aware of the “particularly aggressive” campaign and is taking steps to stop it.

“Our security teams have identified that spammers are using another platform’s infrastructure to create a path for these abusive messages,” they said. “However, even as the spammer’s tactics evolve, Gmail is actively blocking the vast majority of this activity. We are in contact with the other platform provider to resolve these vulnerabilities and are working hard, as always, to stay ahead of the attacks.”

Google also recently put out a blog post warning users about common holiday scams, and the fake giveaway was at the top of the list.

“Did you get an offer that looks too good to be true? Think twice before clicking on any link,” wrote Nelson Bradley, director of Google Workspace Trust and Safety.

Google also noted that it blocks 15 billion spam emails every day, which it believes is 99.9 percent of spam, phishing and malware emails sent to its users. In the past two weeks, Bradley wrote, there has been a 10 percent increase in malicious emails. To be fair, I think there are more fake Kohl’s giveaway emails in my spam filter than in my inbox.

The spokesperson added that Gmail users can use the “report spam” tool, which helps Google better identify and prevent future spam attacks. Beyond that, the typical how to avoid receiving phishing tips still applies. Check the sender’s email address and the URL it links to. Do not give out your personal information, especially your account passwords or credit card numbers. Take a few seconds to think about why Kohl’s would just randomly decide to give you Le Creuset bakeware or Dick’s would give you a Yeti cooler worth hundreds of dollars just for answering a few basic survey questions. The answer is that they wouldn’t.

You can also just spend your Black Friday shopping for real items in real stores (or on their real websites) and give your credit card details to real employees. Good luck out there; A Google spokesperson said the company expects the fraud campaign to “continue at a high pace throughout the holiday season.” So it will almost certainly continue even after Black Friday is over.


Leave a Comment

Your email address will not be published. Required fields are marked *