Security Experts:

Connect with us

Hi, what are you looking for?



Holiday-Themed Spam Campaigns Ramp Up

This time of the year, spam campaigns are increasingly adopting holiday themes to improve their malware distribution rate and steal users’ banking information or to trick victims into accessing fake online stores, security researchers warn.

This time of the year, spam campaigns are increasingly adopting holiday themes to improve their malware distribution rate and steal users’ banking information or to trick victims into accessing fake online stores, security researchers warn.

The growth is mainly fueled by an intensified online shopping activity, which clearly inspires cybercriminals to launch various social engineering attacks, including phishing and drive-by download campaigns. For the delivery of their malicious payloads, the cybercriminals use spam emails, one of the oldest and most used such tactics.

According to Cyren, 78% of the email messages this week containing the word “Christmas” in the subject line were spam. What’s more, the security firm says that Christmas-themed email is almost entirely commercial or criminal.

To ensure that the victims are lured into their scheme, the attackers leverage keywords, thus creating “reasonable doubt in the victim’s browsing experience,” Zscaler security researchers explain. The attackers attach their malware to spam emails in the form of documents or links supposedly taking users to a receipt for an order recently placed.

Other tactics include the use of banners and pop-ups supposedly offering discounts and free shipping, but which don’t come from legitimate sources and are difficult to distinguish from real ones. The next phase of the attack is already tried and proven: a malicious document is used to drop the malicious code to the victim’s computer.

Previously, criminals would use fake gift cards for the malware delivery, but users are growing wary of these, so they switched to weaponized Word documents instead. These documents contain malicious macros and attempt to trick the user into enabling them. When executed, the macros download a malicious executable designed to deliver ransomware or other types of malware.

A recently observed large distribution campaign featured a fake Amazon notification, but instead contained a malicious JavaScript file packed inside a ZIP attachment. The script was designed to download and execute the Locky ransomware onto the compromised machine.

A Cerber ransomware distribution campaign observed only a couple of weeks ago was using fake credit card notifications to trick users into installing the malware. Recent campaigns switched to other holiday season-related themes for the same nefarious purposes.

“Cybercriminals are also sending phishing emails with fake package tracking numbers, bogus discounts, or coupons that link to phishing sites. With so many online orders being shipped, it is difficult to differentiate between the genuine email notifications and the frauds,” the Zscaler security researchers say.

Cyren notes that non-malware spam emails are also clogging user inboxes, linking to fake shopping sites such as like (fake Nike), (fake UGG), and (fake Michael Kors). A spam attack linking to the fake Michael Kors shopping became the highest volume non-malware attack seen by Cyren this year.

To avoid falling victim to attacks carried out via spam, users should stay away from emails coming from unknown sources, especially those that arrive during the holiday season with alleged invoices or order confirmations attached to them. The phishing traffic for store-related scams has increased as well over the past weeks, and users should always make sure that they visit legitimate websites when looking to make a purchase.

“It’s the time of year when we all get to celebrate with our families. For some of us, though, this will mean online shopping with all its potential pitfalls. And for some it will mean new devices and appliances to connect — with oblique instructions and undoubtedly some questions. Here are some tips to help keep you and yours safe and secure through the holidays and into the New Year,” the security researchers note.

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.