With shopping scams on the rise, watch for these threats

An overview of common holiday shopping attacks, and tips for a safe, secure online shopping experience.

The glorious chaos we call the Holiday Shopping Season will soon be upon us. Holiday shopping also means a spike in online scams, fraud, and malware, so you need to be aware of the risks and threats, and exercise some common sense to avoid a cyber-Grinch incident.

Intrepid shoppers will line up for Black Friday deals that have spilled over to Thanksgiving Thursday. You can now start your Black Friday shopping between the turkey feast and the pumpkin pie, before the football games are even over on Thanksgiving Day. The definition of "Friday" aside, holiday shopping will officially be underway. Black Friday will be followed by Cyber Monday, and many shoppers will turn to their mobile devices to find great deals, so it's primetime for cybercriminals.

Rising threat of mobile scams and malware

Black Friday is generally an in-person, brick-and-mortar-store shopping experience, but competition from online retailers and Cyber Monday, combined with the explosion of connected shoppers armed with mobile devices, has changed the game. A report from iovation, a mobile device security and reputation management company, claims that online retail transactions from mobile devices have increased 300 percent over last year. Mobile transactions accounted for nearly one in ten purchases in the most recent quarter, and that number is expected to spike up for holiday shopping.

Gartner predicts mobile payments will skyrocket through 2016--with an average annual growth of 42 percent for both transaction value and volume each annually. Gartner analyst Avivah Litan estimates that fraud will account for 1.5 per cent of mobile transactions. That may not sound like much, but when you're talking about millions of transactions, that 1.5 percent equates to tens of thousands of fraudulent transactions.

For the 2012 holiday season, Gartner warns: "Criminals will start attacking mobile devices, primarily by dropping malware hidden in applications that users download to their mobile phones. There is a difference in the level of vulnerability across mobile operating systems, and some mobile app stories are more diligent when it comes to screening." That last part is essentially code for, "Android is at greater risk of malware attacks than iOS."

Think twice before you download and install apps--especially new apps designed to help with holiday shopping. Pay attention to the reputation of the developer and the user reviews of the app itself, and when you install it look carefully at the permissions being requested and abort if your new app seems to require suspicious access to your mobile device.

Use caution when shopping the Web

Whether you're trying to take advantage of online deals on Black Friday, or fighting the online "crowds" on Cyber Monday, your Web browser is a primary target for holiday cyber attacks.

One common technique of fraudsters is to send out fake emails about cancelled orders or failed deliveries. F-Secure, an antivirus and computer security vendor, explains, "This bait will then entice many to click on a malicious link provided within the email, directing the person to a malicious exploit, commonly referred to as a "Blackhole exploit."

These scams occur throughout the year as well, but during the holiday shopping season there is a much higher chance that you have actually ordered something or are waiting for a package to arrive, so it's much easier for attackers to catch you off guard.

While fake emails still frequently contain red flags like obvious spelling and grammar errors, cyber criminals are getting better at making emails and spoofed websites that are virtually identical to the real ones. Your first line of defense is simple: Never (I repeat, never!) click on the link within the email itself. F-Secure recommends that you go to the retailer or shipper website directly, and log in to verify or track your order.

Unfortunately, fake emails with malicious links are not the only thing you have to worry about. The Web browser is the one of the most commonly used tools across all computer and mobile device platforms, and attackers know it. A recent report from Kaspersky Labs found that nearly one in four browsers in use are out of date--and therefore potentially vulnerable to known exploits.

A blog post from Qualys CTO Wolfgang Kandek agrees that out of date browsers put users at significant risk, but adds that the weak link is often a vulnerable plug-in or extension running within the browser. "Our research shows that the worst plug-in is Java, installed on 82 percent of all tested machines, with over one third of all installations vulnerable, closely followed by Adobe Flash, which is installed on over 67 percent of all tested computers, with 24 percent left vulnerable."

Attackers can sometimes craft an exploit for a disclosed vulnerability in a matter of hours. It's always important to keep your browser and plug-ins up to date. As you venture online for holiday shopping, it is particularly crucial that you first make sure your software is fully patched, and that your antimalware software is up to date.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecuritymobile securityshoppingbrowserssoftwareholiday seasonbusiness security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place