- Security TWENTY
- Women in Security
Online shoppers are more likely to be the victim of cyber-attacks, it’s claimed. E-commerce attacks targeted directly at shoppers have increased by 15pc compared to last year – while retail platform Amazon has released another week of deals in the lead up to the big day, widening the threat landscape, says cyber firm Kaspersky.
Black Friday has become the biggest annual consumer event; most consumers are now aware of the day. A rise in retailer-specific apps and earlier access to deals from the direct comfort of consumer homes has encouraged shoppers to favour shopping entirely online, and some people now use smartphones to make purchases during the Black Friday weekend. This increase in online shopping, combined with the heightened – and lengthened – shopping period means a heightened time for cyberattacks, according to a new report from Kaspersky. It says the likelihood of financial phishing attacks increases by 24 per cent compared to the average value throughout the year. In the hope that consumers become less vigilant during the hunt for a good deal, hackers ramp up their activity.
According to Kaspersky, in the first three quarters of 2019, 15 families of financial malware targeted users of popular brands. This year, in addition to the already-known banking families such as Zeus, Betabot and Cridex Gozi, Kaspersky has also identified two new mobile bankers, Anubis and Gustuff. The hackers target e-commerce brands to hunt for user credentials like logins, passwords, card numbers, phone numbers and more. They seize the data from victims by intercepting input data on target sites, modifying the online page content, and/or redirecting visitors to phishing pages – showing a need for shoppers to be extra vigilant, and for retailers to help keep their customers safe.
David Emm, pictured, Principal Security Researcher, Kaspersky says: “As Black Friday and Cyber Monday draws near, shoppers must be on red alert. This is effectively hunting season for cybercriminals, who are on the prowl to steal personal details, card numbers or bank account credentials from unknowing victims.
“With financial fraud at an all-time high, people need to be reassured that their data and personal information is safe, or they will be less inclined to shop online. This is where businesses also have a part to play, stepping back and re-evaluating their IT security strategy to ensure there is a full lifecycle security plan in place, entailing: education for employees, the best defences to protect against attacks, and the most reliable tools for zero-day detection. There are also simple steps that consumers can follow to prevent Black Friday becoming the most dangerous time of the year online.”
Among its advice, the company recommends that you turn on and always use two-factor authentication (such as Verified by Visa, or MasterCard Secure Code).
Black Friday and Cyber Monday provide cybercriminals with increased opportunities to execute cyber attacks on unwitting shoppers and retailers. Put commercialised sales dates aside, and retailers remain an easy target for cybercriminals looking to steal credentials to make a profit, says Jose Miguel Esparza, Head of Threat Intelligence, Blueliv, a threat detection analytics company.
“From ransom, through to selling sensitive information on the dark web, there’s nothing an attacker wouldn’t do to ensure they get a return on investment.
“Retailers and customers should be vigilant about fraudulent domains and spoofed websites. Web skimming is also now highly prevalent as a means of stealing credit card information and credentials, so shoppers, and retailers alike, should also be wary of payment pages on websites that may have been compromised in order to steal payment information.
“Consumers can be easily caught out through phishing scams directing them to alternate sites and should think before they click, going directly to the retailer’s site rather than via third parties. Consumers should be aware of falling foul of the varying social engineering techniques such as this, pretexting and baiting whereby Baiters may offer users free music or movie downloads, if they surrender their login credentials to a certain site.
“Customer data must also be secured using effective security measures such as encryption, and consumers need to ensure they do their part to keep their credentials safe also. Multifactor authentication is a good start but changing passwords and ensuring they don’t use the same one across multiple sites can help prevent attackers wreaking havoc across numerous accounts.
“Retailers of all sizes should keep security front of mind at all times, but particularly as they prepare for increased demand on their website, mobile apps and POS devices. Cybercriminals will use all manner of tactics including malware infections, phishing, DNS hijacking, leaked databases, web skimming and social engineering, so consumers and retailers alike should heed much the same advice to avoid information falling into the wrong hands.”
For businesses, there are two ways to look at cyber risks around Black Friday, said Tim Erlin, VP, Product Management and Strategy at Tripwire. “The first is that, simply because it’s a busier time and more money are flowing through their systems, an attacker will be more likely to target them, hoping for the busyness to serve as a diversion.
“The second way to look at it is from an employee perspective: staff may be shopping online from business owned assets, thus potentially opening them up to Black Friday scams. For this reason, it would be worth for businesses to focus on education and training on how to recognise scams and phishing attempts.
“Ransomware and other types of malware are also a concern for business around this time of the year. Those that are targeting the business itself ultimately just want the organisation to pay the ransom, which can be avoided by having good incident response measures in place and secure, up-to-date backups.”