A new investigation into Black Friday discounts across Europe has revealed a troubling pattern, many online deals may not be as genuine as they appear. According to findings released by the European Commission and consumer protection authorities, nearly one in three traders failed to display discounts correctly during major sale events like Black Friday and Cyber Monday. The coordinated “sweep” examined 314 online traders across 23 EU Member States, along with Iceland and Norway. The goal was simple: check whether Black Friday discounts and pricing practices actually comply with EU consumer protection laws. The results suggest that a significant portion of online retailers are still falling short.

Black Friday Discounts Often Misleading

At the core of the issue is how Black Friday discounts are calculated and presented. Under EU rules, any advertised discount must be based on the lowest price a product had in the previous 30 days. However, 30% of the traders checked failed to follow this requirement. This means that many “discounts” shoppers see may not reflect real savings, but rather inflated comparisons designed to create the illusion of a better deal. It’s a reminder that misleading discounts remain a widespread issue, even in regulated markets.

Online Sales Tactics Raise More Concerns

Beyond incorrect Black Friday discounts, the sweep uncovered several other questionable online pricing practices.

• 36% of traders added optional items to shopping carts, often without clear consent from users
• 34% used price comparisons, but 60% of those failed to explain what those comparisons were based on
• 18% used pressure-selling tactics like fake scarcity or countdown timers, with more than half found to be misleading
• 10% used “drip pricing,” adding extra costs such as shipping fees late in the checkout process

These tactics are not just aggressive, they are illegal under EU consumer protection laws when used deceptively. The findings show that the issue goes beyond Black Friday discounts alone. It reflects a broader pattern of how online platforms influence consumer decisions.

EU Consumer Protection Rules Put to the Test

The investigation highlights the growing importance of EU consumer protection frameworks in the digital shopping era. While regulations like the Price Indication Directive and Unfair Commercial Practices Directive are in place, enforcement remains key. Consumer authorities across Europe can now take action against businesses found violating these rules. The scale of the problem suggests that compliance is still inconsistent. Despite clear guidelines, many traders continue to rely on tactics that blur the line between marketing and manipulation.

Trust at the Center of the Issue

The conversation around Black Friday discounts is ultimately about trust. When consumers see a discount, they expect it to be real—not a marketing trick. As Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, stated, “Black Friday and Cyber Monday offer great opportunities for both businesses and consumers. However, a great bargain is no excuse to cheat the rules. Consumers expect a fair treatment, whether they are shopping online or offline. Our sweep should act as a reminder: Businesses that treat their customers fairly always benefit.” Echoing this, Michael McGrath, Commissioner for Democracy, Justice, the Rule of Law and Consumer Protection, said, “Trust is essential for both consumers and businesses. Misleading discounts and false ‘promotions’ undermine that trust. EU consumer protection rules strike a careful balance, ensuring a fair market that serves the interests of both businesses and consumers. This sweep gives us a comprehensive view of the market, helping us identify where further action is needed to keep it fair, transparent, and competitive. “ The findings serve as a reality check for both regulators and consumers. While Black Friday discounts continue to attract millions of shoppers, not all deals are as transparent as they seem. For regulators, the message is clear, stronger enforcement may be needed. For consumers, it’s a reminder to look beyond flashy discounts and question how prices are presented.

Last week on Malwarebytes Labs:

• How CVSS v4.0 works: characterizing and scoring vulnerabilities
• Millions at risk after nationwide CodeRED alert system outage and data breach
• Holiday shoppers targeted as Amazon and FBI warn of surge in account takeover attacks
• Fake LinkedIn jobs trick Mac users into downloading Flexible Ferret malware
• New ClickFix wave infects users with hidden malware in images and fake Windows updates
• WhatsApp closes loophole that let researchers collect data on 3.5B accounts
• The hidden costs of illegal streaming and modded Amazon Fire TV Sticks
• Black Friday scammers offer fake gifts from big-name brands to empty bank accounts
• Matrix Push C2 abuses browser notifications to deliver phishing and malware

Stay safe!

---

We don’t just report on threats – we help protect your social media

Cybersecurity risks should never spread beyond a headline. Protect your social media accounts by using Malwarebytes Identity Theft Protection.

On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America.

The Black Friday connection

Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity and often lax security awareness among users provides fertile ground for launching attacks. Gozi malware, a well-known banking Trojan, exploits this seasonal chaos to target unsuspecting users and financial institutions alike.

This year’s Black Friday activity was particularly concerning, with a notable increase in web-inject attacks. These sophisticated techniques compromised online banking sessions, enabling the theft of credentials, financial information and other sensitive data.

The campaign is not expected to stop there. With the subsequent year-end shopping rush, Gozi malware is poised to continue its onslaught. Cyber criminals are likely to capitalize on the desperation of last-minute shoppers seeking the best holiday deals, amplifying the malware’s reach and impact.

These ongoing attacks emphasize the need for vigilance and proactive security measures. Whether you’re a consumer enjoying the convenience of online shopping or a business managing increased transaction volumes, understanding the evolving tactics of cyber criminals is critical to staying ahead of the threat.

What is Gozi malware?

Gozi, also known as Ursnif and ISFB, is a modular banking Trojan that has been active since the mid-2000s. It is infamous for its ability to steal banking credentials, monitor user activity and execute advanced web-injects during online banking sessions. Over the years, it has evolved to include features like anti-debugging mechanisms and encrypted communication and is also used for targeted attacks on specific regions and financial institutions.

Observations from our system

During Black Friday, our telemetry revealed the following trends:

• Targeted campaigns: Gozi operators appeared to focus on North American banks, aligning their campaigns with the peak shopping hours.
• Increase in attack volume: The malware’s web-inject functionality was heavily used, indicating a rise in compromised banking sessions.

Why the surge?

The Black Friday spike in Gozi activity can be attributed to:

• Volume of transactions: The sheer number of financial transactions increases the probability of successful attacks.
• Weakened defenses: Many businesses prioritize frictionless user experience, uptime and sales during Black Friday, potentially delaying or weakening their security measures.
• Human behavior: Consumers are more likely to overlook suspicious activity when rushing to grab deals.

What we found

The provided script demonstrates a sophisticated web injection attack used to compromise online banking sessions. It dynamically injects malicious code into the legitimate banking page, allowing attackers to manipulate the session without the victim’s knowledge. The malicious script operates in the background to steal sensitive data, such as credentials, and is designed to evade detection by immediately removing itself from the page after execution. By blending with the legitimate page and erasing evidence, the attack becomes nearly invisible to both users and traditional security measures. This highlights the growing sophistication of web-inject attacks and underscores the need for advanced monitoring systems and robust security measures to detect and prevent such threats.

Figure 1: Sample of Gozi injection

From the screenshot below, it appears that the attacker left minimal evidence, likely attempting to test the mechanism and ensure everything is functioning correctly:

Figure 2: Attacker preparation

We believe the web-inject is still a work in progress, with potential future updates and enhancements to the code likely.

If you’d like to learn more about Gozi malware, you can find additional information here.

Final thoughts

As cyber criminals continue to exploit global events like Black Friday, staying vigilant is more crucial than ever. The resurgence of Gozi malware activity highlights the importance of proactive security measures for both businesses and individuals. While the current attacks are predominantly targeting North America, we suspect this campaign will soon expand to Europe, leveraging the holiday shopping season to further its impact.

While we enjoy the convenience of online shopping, it’s vital to stay aware of the ever-present cyber threats lurking in the digital landscape. By adopting robust security practices and remaining cautious, we can reduce the risks and protect ourselves against these sophisticated attacks. Cybersecurity is not just a technical challenge—it’s a shared responsibility.

How to avoid Gozi malware

Here are some recommendations to avoid Gozi malware and protect yourself from similar threats:

• Be wary of email links. Exercise caution when opening email attachments or clicking on links, especially if they come from unknown or suspicious sources. Be particularly vigilant for phishing emails that may attempt to trick you into downloading malware.
• Increase your password security. Create strong and unique passwords for all your online accounts, including cryptocurrency exchanges and wallets. Avoid using easily guessable information and consider using a reliable password manager to securely store and manage your passwords.
• Remain vigilant online. Pay attention to any unusual behavior or unexpected requests when accessing websites, especially financial or cryptocurrency-related platforms. If you encounter unexpected pop-ups, requests for additional personal information or changes in website appearance, it could be a sign of a web-inject attempting to deceive you.
• Stay informed about the latest cybersecurity threats and best practices. Familiarize yourself with common techniques used by cyber criminals, such as phishing scams and social engineering, to avoid falling victim to their tactics.

One of the best tools to detect Gozi malware and protect your organization is IBM Security Trusteer Pinpoint Detect. The tool uses artificial intelligence and machine learning to protect digital channels against account takeover and fraudulent transactions and detect user devices infected with high-risk malware. Learn more here.

IOC

/usbank/inj[.]php

/in/sella/sella[.]php

/in/paypal/p[.]php

/in/ebay/ebay[.]php

/in/poste/po[.]php

/in/ubibanca/ub[.]php

/in/amazon/a[.]php

/in/clienti.chebanca/ch[.]php

/in/credem/cr[.]php

frcorporateonline/inj[.]php

hsbcnet/inj[.]php

/lancher/in

The post Black Friday chaos: The return of Gozi malware appeared first on Security Intelligence.