Here are a few dangers that will be lurking online this holiday shopping season.
Increased email threat
Spammers and malware distributors have often crafted messages to appear as legitimate messages from the likes of UPS, FedEx, PayPal and many other online shippers and/or retailers. This is such an effective technique, that they use it year round. However, during the holidays these messages can be much more effective. It stands to reason that anyone who is expecting shipping confirmations or payment confirmations will be much more susceptible to these threats and what better time than the holiday season when this is the reality for most people. These messages pose as the real thing but often contain malicious payloads designed to infect your machine.
Despite the fact that these messages look very believable there are some common elements that should not appear in a legitimate shipping or payment confirmation emails. Frequently these messages will include attachments, which should be a red flag to most people. Additionally, if the message directs you to click on a link, you should at the very least ‘mouse-over’ the link to reveal the true destination. Or better yet… just ignore it and navigate to the company’s website directly in the browser.
Cybercriminals use search poisoning tactics when they want to direct users to a hacked web page and infect computers with malware. How? Scammers begin by infecting a website by implanting malicious exploits and then utilize keyword injection to ‘game’ search results. So, when users search for the scammer’s keywords they might come across an infected page, and if vulnerable, malware will begin to infect the device instantly with little or no detection. In the past, cybercriminals used popular product names as key terms. And what better audience for SEO poisoning than eager online shoppers searching for the best product deals?
Pay attention to the sites listed in your search results. If you are looking for a good deal on a new ipad, for example, then be a little suspicious when search results include a link to a blog or some other non-consumer goods website. It’s less likely that someone is having a fire sale on their personal blog and more likely that the blog was hacked into and became a host for the hacker’s malicious code.
This one has been around for a while, but just like mosquitoes in Florida they won’t go away. Each year, our spam and virus filters quarantine millions of malicious e-cards. To the analytical eye, these cards are fairly easy to spot. But to the casual viewer fake e-cards are convincing enough to wreak havoc. E-cards often infect users with Spyware or Ransomware, thereby stealing identities, banking credentials or nearly every file on your computer (as recently illustrated by CryptoLocker).
When in doubt, don’t open it. Some of the tell-tale signs that an e-card is malicious include: unrecognized senders, it contains instruction to take some sort of additional action like opening an attachment and/or it requires you follow a link or download a file.
Shopping from unsecured networks
Many of us seek refuge from the holiday crowds at the nearest coffee shop where we can watch the action while making our gift purchases online. Just be careful where you are when make those purchases. Or more specifically, be careful where you connect to the Internet. If you're connecting to an unsecured public Wi-Fi hotspot, anyone can access your data using packet capture capabilities or a man-in-the-middle attack. Bad guys can collect data like credit card numbers, account logins/passwords, email communications and anything else that they can exploit for profit. And know that unsecured Wi-Fi connections can be found in many public locations these day, including hotels, restaurants, airports or even retail store themselves.
The best thing you can do to avoid this is to browse the web and create a gift list, but wait until you're back home on a secure connection to actually make the purchases. If you do use a public WI-FI, then pay close attention to your address bar to ensure you see the https:// prefix and do not enter personal information unless that connection is being made. Or better yet, use a VPN connection.
Gift card scams and counterfeit products
Cybercriminals love to play the odds and even the small percentage of attacks that are successful often net them millions in profits. Consumers will spend billions of dollars on gift cards this holiday season and the cybercriminals are looking for a small piece of that pie. During the holiday months, there is a large increase in the number of websites pushing these fraudulent items, and many more emails directing you to malicious sites.
Common sense is usually the best deterrent for avoiding counterfeit products since a fifty dollar Rolex is pretty obviously too good to be true. These bogus products can be avoided all together by shopping with reputable retailers and doing some research on the ones you are not familiar with. Also avoid shopping via banner ads and offers in email (unless it’s from a known trusted source).
Author: Troy Gill, senior security analyst at AppRiver.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.