Deck the Halls with Caution: Four Festive Cyber Threats to… | Intel471 Skip to content

Deck the Halls with Caution: Four Festive Cyber Threats to Look Out for This Season

Dec 05, 2023
Festive Hero

December heralds the beginning of the holiday period for many across the world. But when out-of-office notifications go up along with the tinsel, organizations can be left vulnerable. Many cybercriminals don’t take a holiday; instead, they take advantage of skeleton staff and the traditions of the festive period to target organizations. As we wind down to the end of the year, Intel 471 details four critical cyber threats organizations need to be aware of to ensure they remain vigilant.


Savvy cybercriminals know ‘tis the season to launch phishing attacks on victims. Inboxes are inundated with seasonal emails from far-flung contacts, giving phishing emails the perfect place to hide. In the festive fracas, it’s far harder for the recipient to discern benign marketing spam from those concealing harmful content. All it takes is a click and recipients could unknowingly divulge sensitive information or download malware on their system. Whether the threat actor is attempting to harvest credentials for a quick sale on the cyber underground or it’s the first step in a targeted attack against an organization, the effects of a successful phishing attack can be devastating. Verizon’s 2023 Data Breach Investigations Report found that 36% of all data breaches involved phishing, so organizations must invest in training staff to better discern and report phishing attempts before they are impacted by the fallout. It may also be a good idea for organizations to map their attack surface to identify any public-facing company email addresses that may be targeted.

Parcel Delivery Scams

Threat actors also take advantage of the spike in online shopping this time of year to craft emails and texts impersonating courier companies. With so many anticipating the delivery of gifts, they are far more likely to be caught out by a false message. DHL was among the top three impersonated brands for phishing attacks in 2022, taking the second spot in Q4. It’s highly likely the end of 2023 will be plagued with the same threat, with multiple organizations already issuing warnings on the topic. The messages tend to detail an unexpected problem in delivering the package, redirecting the recipient through a malicious link that requests that they enter their login details or card information to correct it. Alternatively, clicking the link may install malware on their system. This can be particularly dangerous if the email has been accessed on a work device or one connected to business infrastructure through a BYOD policy.


The next generation of phishing attacks is highly likely to cause continued disruption this season. The convenience offered by QR codes makes them highly attractive to users, but also an attractive tool for cybercriminals. The trick is known as quishing: rather than a malicious link, threat actors embed a QR code into their chosen medium. Once scanned, unsuspecting victims are taken to a URL that either harvests personal details or hosts malware. Additionally, if an employee follows the code, it may lead them outside of corporate protections, which represents a higher risk.

Intel 471 reporting confirms that this phishing method is trending in the underground, so it’s likely that threat actors will continue to experiment with effective ways to land their attacks during December. As individuals and businesses alike will be transferring money between accounts and seeking discounts for gifts, it’s possible threat actors will craft their quishing emails to mimic financial institutions and online retailers. In fact, Intel 471 recently reported an actor offered to sell a panel impersonating a well-known bank that had the ability to generate QR codes.

Distributed Denial of Service Attacks

Distributed denial-of-service (DDoS) attacks overwhelm a network with traffic so it can’t be accessed by regular users. There are many motivations for these kinds of attacks including financial gain, politics and securing competitive advantage. Many of these attacks are launched via DDoS-as-a-service offerings advertised in the cyber underground, frequently reported by Intel 471, which significantly lower the barrier of entry for committing an attack. December has long been a key time for DDoS attacks to be launched due to reduced resources supporting affected businesses and the already high volume of network traffic on many sites characterizing the season. Historically, the FBI has timed takedown operations aimed at those supplying DDoS attack services to the month of December in hopes of making these attacks harder for threat actors to carry out. Although retail, gaming and financial institutions are frequently targeted at this time of year, no sector remains safe.

Israel-Hamas Conflict

DDoS attacks are widely used by hacktivists to spread awareness of their political message. The escalation in the conflict between Israel and Hamas has seen a surge in hacktivist activity as groups digitally join the fight in support of both sides. Targets have included public services and organizations in each country, as well as global organizations that have expressed support for either side. It is possible there will be a rise in hacktivist activity beginning Dec. 7, 2023, the Jewish holiday Hanukkah, targeting Jewish-aligned organizations across the world to censure Israel through the disruption of Hanukkah. Dec. 7 also marks two months from Hamas’ surprise attack on southern Israel. It’s possible a further spike in hacktivist activity will be seen on this day from pro-Hamas groups wishing to mark the significance of the date. In addition to DDoS attacks, Intel 471 has also reported on hacktivist groups launching ransomware attacks, claiming to have gained access to critical infrastructure and leaking sensitive military information, putting citizens in greater jeopardy.

Gift Card Fraud

Not only a favorite present to give, gift cards are also a favorite for cybercriminals to exploit. Social engineering tactics have opened up new avenues to expand the crime so cybercriminals see greater return on investment. Fraudsters will contact customers and press them to buy cards by using various excuses that incite a sense of urgency such as paying for outstanding bills, fines or even an employee’s birthday present. Once the victim has purchased the gift card, they will be asked to share the code with the bad actor, who will then strip the money from it. Intel 471 regularly reports on threat actors selling access to gift cards within the cyber underground that the buyer may use for other nefarious purchases or to launder money. Impacted customers often blame the organization and their policies surrounding the activation of gift cards, meaning this type of fraud threatens reputational damage. Fraudulent purchases may also have to be refunded by the organization issuing the card, impacting the bottom line.

Point of Sale Fraud

The boom in retail therapy this time of year also provides threat actors with increased reward when targeting point-of-sale (PoS) systems. Intel 471 has observed threat actors selling unauthorized access to PoS systems, as well as skimming tools for use on physical PoS terminals. Targeting these systems allows access to card details and other personal data, stripping customers of their funds and their trust in the targeted organization. Organizations must keep abreast of the tactics, techniques and procedures (TTPs) cybercriminals are implementing to gain access to their PoS systems. In doing so, they can actively address these vulnerable points before they become a target.

Awareness is Key

While certain threats may be on the rise right now, our advice isn’t just relevant for the holidays. The best thing organizations can do is be aware: of the threats they face, the threat actors who are perpetrating them and how they go about doing so. With this insight, they can ensure that their defenses are already primed against attackers waiting around the next bend.

Intel 471’s cyber threat intelligence is garnered from exclusive sources within the cyber underground. This intelligence is fine-tuned to the organizations we serve to ensure our customers are equipped with the actionable insight needed to protect every aspect of their organization from the impact of a potential cyberattack.