Halloween Trick or Trick: Cyber-Ghouls and Goblins Use Fake Commercial Spam to Steal Credentials

Most Halloween cyber-criminals make believe they advertise products while they are actually hunting users’ personal data through fake commercial spam campaigns, according to an analysis by Bitdefender.

Up to 70 per cent of spammers who take advantage of Oct. 31 celebrations flood inboxes with images of cars and pharmaceuticals such as Viagra that redirect people to other websites. Users are then asked for passwords, usernames or location, and may further be infected with malware.

Only 30 per cent of the analyzed spam allows users to actually buy Halloween products such as costumes and candy. Even then, the online stores’ poor reputations could mean clients will never get the promised products.

“If Halloween commercial spam is actually going to exist and to continue to bother people with advertisements for costumes, gifts, and party tickets, it would be nice if it actually had something to offer – but that’s not the case,” said Bitdefender Security Strategist Catalin Cosoi. “Halloween cyber-criminals make a better deal by selling spamming lists and credentials for identity fraud.”

Among the Halloween spam samples that try to steal users’ personal information, Bitdefender found several containing commercials for fun cards, gaming websites, cars, trucks and SUVs. It also included some emotional e-mails that advised users to protect their kids from child predators when they go trick-or-treating, and keep their black cats safe, as they are “often target for abuse during this superstitious time.”

Because users increasingly celebrate Oct. 31 all over the world, Halloween spam reads not only in English, but also in Portuguese, Spanish and even Albanian. To reduce the chance of falling victim of identity theft or being infected with malware this Halloween, users should make sure their antivirus software is updated.

All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

This article is based on the technical information provided courtesy of Ionut Raileanu, Bitdefender Spam Analyst.