| As Valentine’s Day approaches, users will likely shop online, send and receive messages and e-cards, and utilize online dating platforms. However, threat actors capitalize on the season of love, tugging at users’ heartstrings and attempting to steal more than their hearts. They impersonate known and trusted organizations, major brands, contacts, such as friends and family, and potential love interests to attempt to steal personal data, financial information, account credentials, and funds. |
| In the past, threat actors exploited known vulnerabilities found in websites’ digital commerce platforms, such as Magento, WooCommerce, WordPress, and Shopify, or in vulnerable third-party services used by the website. Through web skimming campaigns, they targeted online retailers and shoppers to steal PII and credit card information from e-commerce websites. In a recent campaign, researchers identified a Google Tag Manager skimmer stealing credit card information from a Magento website. This campaign highlights the prevalent use of legitimate platforms to obfuscate and deploy malicious code. |
| Threat actors have registered legitimate domains to use as bait in Valentine’s Day-themed phishing campaigns. These domains contain keywords such as “valentine,” “love,” “gifts,” or “flowers.” The phishing emails may spoof known and trusted contacts or organizations and have themes of love, gifts, and romance, including offers too good to be true and Valentine’s Day sales or discounts. Unsuspecting victims may encounter more than a romantic surprise as threat actors use social engineering to lure them to click on malicious links, divulge sensitive data, or make fraudulent purchases. |
| Threat actors also engage in romance scams by creating fake profiles on online dating platforms and posing as potential love interests, building trust with their target to establish a relationship quickly. A recently reported romance scam revealed that the threat actor had built trust with their target for the target to reveal they were going through a divorce and were having financial issues. The threat actor sent purported video footage of a mailed package containing items and thousands of dollars in cash. They also claimed their military ID would be held until the package was released. Later, they informed the target that the package was supposedly stuck at the airport and threatened to extort a fee via PayPal, CashApp, or Zelle. |
| Additionally, the NJCCIC continues to receive reports of sextortion incidents in which victims are threatened with the release of supposed compromising or sexually explicit photos or videos if they do not pay an extortion demand. Some sextortion threats are not credible, as threat actors are unable to provide proof of such photos or videos. |