CISOs should remind their employees to be extra cautious when shopping online during the Black Friday-Cyber Monday shopping weekend, with shoppers’ enthusiasm and lowered guard creating a heightened risk climate that has already seen many e-commerce sites targeted in Australia and around the world.
A recent analysis of banking Trojan activity by security firm Kaspersky Lab turned up 9.2 million attempted attacks through the end of the third quarter – well ahead of the 11.2m attacks noted during the whole of 2017.
Online brands in Italy, Germany, the US, Russia and emerging markets were particularly at risk, the firm said, with SpyEye malware alone marking a 34 percent increase in detections over the year earlier.
Some 14 families were found to be targeting 67 consumer e-commerce sites in total. Betabot, for example, was found to be targeting 46 different well-known e-commerce brands – including 16 consumer apparel brands, four consumer electronics brands, and eight entertainment/gaming brands – while Gozi malware was targeting 36 brands including many consumer apparel and electronics brands.
Other frequently found malware families included Panda, Gozi, Zeus, Chthonic, TinyNuke, Gootkit2, and IcedID – all of which are designed to steal credit-card details as they are typed into a shopping site on an infected computer.
“Credential-stealing banking malware is nothing new,” Noushin Shabab, senior security researcher with Kaspersky Lab’s Global Research and Analysis Team, said in a statement. “However, the existence of families hunting for data related to online shopping accounts is perhaps more unexpected.”
“It is easy for a hacker to get to your money through a compromised credit card,” he continued, or “money laundering schemes such as buying things from a website – using victims’ credentials so they look like known customers and don’t trigger any anti-fraud measures – and then selling those items on again.”
‘Click happy’ bargain hunters are distracted and particularly susceptible to compromise during the shopping season, Mimecast principal technical consultant Garrett O’Hara warned, as they are flooded with shipping confirmations, notifications about spot sales, ‘brandjacking’ that directs them to malicious URLs when they click for information about a new product, and fake payment failure emails that request credit card details be re-entered for confirmation.
“Every year we see cyber criminals become more sophisticated,” he explained, “using our trust in well-known brands to bypass our natural suspicions. Consumers are even more likely to have their guard down while bargain hunting and that’s exactly what scammers are banking on.”
“Businesses, similarly, need to be alert to heightened phishing activity and impersonation attacks. Employees taking advantage of sale days may unwittingly lead cybercriminals to a gateway of networks and information.”
The ‘Magecart’ cybercrime syndicate has enjoyed considerable success in placing ‘digital credit card skimmers’ that have, one Flashpoint-RiskIQ analysis notes, infiltrated over 100,000 e-commerce sites including those run by brands including British Airways, Newegg and Ticketmaster.
“No matter how diligently consumers strive to protect their credit card and personal information,” Stealthcare CEO Jeremy Samide warned, “organised crime is attacking the places where we shop online.”
Shoppers should watch their credit card statements for small purchases that are often used by criminals to confirm a card’s validity before making a much bigger purchase. They should also take promotional offers with a grain of salt, Samide said.
“A common sucker play,” he explained, are “five-minute surveys enticing you with a chance to win a $25 Amazon gift card. In the unlikely event you win, you have given a third-party information you may think is irrelevant but when correlated with other public information on you, it could mean everything.”
The heightened risks during the pre-Christmas shopping season also highlight the importance of securing the cloud services that underpin commerce, social media, and other aspects of the online retail environment, CyberArk ANZ solutions engineering manager Andrew Slavkovic warned.
“Cloud administrators often have elevated rights to sensitive information stored in cloud platforms and web applications, yet their permissions are not always managed by the IT team,” he said.
“This allows users to operate outside of corporate security, potentially exposing the entire organisation to unknown risks. An external attacker or malicious insider who leverages these user credentials could potentially shut down cloud environments, compromise web applications or DevOps tool consoles, steal sensitive customer data or publish inflammatory comments across owned media channels.”