With Black Friday and Cyber Monday almost upon us, several cybersecurity experts have given their advice on the top security threats and how to avoid them.
Sam Curry, Chief Security Officer at Cybereason:
Security Risks:
“1) The increase of online credit card collection imposters over the holidays will be apparent as they do more at this time as people balance year-end holiday finances and fear of debt. Example: The consumer stressing out about a high volume of debt they are carrying on multiple credit cards, might receive an email pretending to be from the credit card company saying their account is overdue and is subject to being shut down unless they make a minimum monthly payment. The unsuspecting consumer gives away their credit card information and other personable identifiable information.
2) Holiday Ransomware- While ransomware infections globally are down considerably over the past 3-5 years and in 2018 there hasn’t been a WannaCry or NotPetya attack, it is still an extremely effective method for hackers to make money. Consumers should understand that the pictures and other assets on their computers increase in value to hackers over the holiday season and this means that consumers are more likely to pay ransoms and panic if Ransomware strikes.
3) Phishing scams online are on a meteoric rise over the holidays, especially driven by deals and rebate offers. Basically don’t open any attachments or click on links appearing to be from trusted vendors you shop with. Go directly to the website of the vendor looking for the sales and deals.”
Advice to Reduce Risks While Online Shopping
“1. Remember to know your liability with your credit card and banking cards that can be used online — impose a voluntary limit or hiatus with your company if you don’t like the liability risk.
2. Also, check all of your bills and receipts online: keep a central family register of purchases for cards that you want to track to reconcile.
3. Default to suspicious of any inbound calls — worst case, take a case number, record the inbound source number, independently go to the Web and call support before doing anything as a default way to handle these.
4. If a deal looks too good to be true, it probably is…so don’t click on anything. Do feel free to record coupon and discount codes and to go directly to vendor websites with those codes.
5. Avoid downloading anything from questionable websites. Disable pop up ads on your devices by using trusted software. Always verify the vendor, look for typos or common permutations of email addresses.”
Paul Bischoff, Privacy Advocate at Comparitech.com:
“1. Phishing. Expect a lot of phishing emails claiming to be from retailers, banks, and payment processors. They will try to get you to click on links that lead to forgeries of legitimate websites where you enter your password or credit card information. Don’t click on links in unsolicited emails and always check for valid HTTPS before entering any information into a website.
2. Non-delivery scams. You buy something and it never shows up. This often occurs when a scammy merchant claims there is some problem with Amazon or Ebay’s payment system. They’ll try to contact you and extract payment through some other means. Don’t interact with merchants outside of the marketplace’s official channels.
3. Straight up theft. Thieves will be looking to lift packages off your front doorstep to put under their own Christmas trees. Consider using a locked drop box to receive packages, or install a security camera.
4. Digital credit card skimmers. Hackers compromise a website by installing a keylogger on payment pages. When a buyer enters their information, the keylogger records everything typed in and sends it to the hacker. There’s not much an average person can do to spot or prevent this from happening. It’s up to the website to properly secure their payment gateway.”
Todd Peterson, IAM specialist at One Identity:
“The pure eagerness for people to bag the best deals on Black Friday is a huge threat as people may neglect basic security hygiene in a rush to smash through their loved ones’ Christmas lists. Keen shoppers need to realise that ‘easy’ doesn’t necessarily equate to ‘safe’, so having non-essential websites store their passwords or credit card details or using the same password across all online stores is ill-advised. By taking extra measures, such as using a different password for every website, enabling multi-factor authentication or opting in to extra security provided by your bank, for example, it may be extra steps, but the security payoff will be worth it. After all, if it’s more difficult for you as the shopper, it will be more difficult for hackers. Treat personal online transactions the same as you do for work; if it wouldn’t fly with your boss at work, then reconsider.”
Lamar Bailey, Director of Security Research and Development at Tripwire:
“Your inbox with start getting flooded with Black Friday deals soon if it has not already started. Not all of the emails will be legit, as attackers will take valid emails and change the links to point you to malicious sites that may look like the real things. Always check the sender address to make sure it looks normal and instead of clicking on links go to the company website and the deals will generally be on the front page.
Never use your ATM/Debit card for any transactions. If your number is stolen it can take days for the bank to refund the money to your account and even longer to get a replacement card. If you use a credit card and your number is stolen the credit card company will quickly adjust your account and overnight a new card. The best option is to use virtual credit card account numbers from your credit card company. With these you can set a limit and timeline so there is less opportunity for theft.
Make sure your credit is frozen.”
Jack Baylor, Security Threat Researcher at Cylance:
“Avoid “too good to be true” resellers on auction sites such as eBay, especially for computer games or related products such as “Fifa points”. People often put up faked game codes claiming large discounts compared to buying directly from the game manufacturer or the likes of reputable markets such as Steam, Microsoft Store (Xbox1) or PlayStation Store (PS4). Often consumers are left out of pocket with nothing more than a nonsense string of letters and numbers to show for it.”
With Black Friday and Cyber Monday almost upon us, several cybersecurity experts have given their advice on the top security threats and how to avoid them.
Sam Curry, Chief Security Officer at Cybereason:
Security Risks:
“1) The increase of online credit card collection imposters over the holidays will be apparent as they do more at this time as people balance year-end holiday finances and fear of debt. Example: The consumer stressing out about a high volume of debt they are carrying on multiple credit cards, might receive an email pretending to be from the credit card company saying their account is overdue and is subject to being shut down unless they make a minimum monthly payment. The unsuspecting consumer gives away their credit card information and other personable identifiable information.
2) Holiday Ransomware- While ransomware infections globally are down considerably over the past 3-5 years and in 2018 there hasn’t been a WannaCry or NotPetya attack, it is still an extremely effective method for hackers to make money. Consumers should understand that the pictures and other assets on their computers increase in value to hackers over the holiday season and this means that consumers are more likely to pay ransoms and panic if Ransomware strikes.
3) Phishing scams online are on a meteoric rise over the holidays, especially driven by deals and rebate offers. Basically don’t open any attachments or click on links appearing to be from trusted vendors you shop with. Go directly to the website of the vendor looking for the sales and deals.”
Advice to Reduce Risks While Online Shopping
“1. Remember to know your liability with your credit card and banking cards that can be used online — impose a voluntary limit or hiatus with your company if you don’t like the liability risk.
2. Also, check all of your bills and receipts online: keep a central family register of purchases for cards that you want to track to reconcile.
3. Default to suspicious of any inbound calls — worst case, take a case number, record the inbound source number, independently go to the Web and call support before doing anything as a default way to handle these.
4. If a deal looks too good to be true, it probably is…so don’t click on anything. Do feel free to record coupon and discount codes and to go directly to vendor websites with those codes.
5. Avoid downloading anything from questionable websites. Disable pop up ads on your devices by using trusted software. Always verify the vendor, look for typos or common permutations of email addresses.”
Paul Bischoff, Privacy Advocate at Comparitech.com:
“1. Phishing. Expect a lot of phishing emails claiming to be from retailers, banks, and payment processors. They will try to get you to click on links that lead to forgeries of legitimate websites where you enter your password or credit card information. Don’t click on links in unsolicited emails and always check for valid HTTPS before entering any information into a website.
2. Non-delivery scams. You buy something and it never shows up. This often occurs when a scammy merchant claims there is some problem with Amazon or Ebay’s payment system. They’ll try to contact you and extract payment through some other means. Don’t interact with merchants outside of the marketplace’s official channels.
3. Straight up theft. Thieves will be looking to lift packages off your front doorstep to put under their own Christmas trees. Consider using a locked drop box to receive packages, or install a security camera.
4. Digital credit card skimmers. Hackers compromise a website by installing a keylogger on payment pages. When a buyer enters their information, the keylogger records everything typed in and sends it to the hacker. There’s not much an average person can do to spot or prevent this from happening. It’s up to the website to properly secure their payment gateway.”
Todd Peterson, IAM specialist at One Identity:
“The pure eagerness for people to bag the best deals on Black Friday is a huge threat as people may neglect basic security hygiene in a rush to smash through their loved ones’ Christmas lists. Keen shoppers need to realise that ‘easy’ doesn’t necessarily equate to ‘safe’, so having non-essential websites store their passwords or credit card details or using the same password across all online stores is ill-advised. By taking extra measures, such as using a different password for every website, enabling multi-factor authentication or opting in to extra security provided by your bank, for example, it may be extra steps, but the security payoff will be worth it. After all, if it’s more difficult for you as the shopper, it will be more difficult for hackers. Treat personal online transactions the same as you do for work; if it wouldn’t fly with your boss at work, then reconsider.”
Tristan Liverpool, Director of Systems Engineering at F5 Networks:
Below are my tips to help prevent cyber security failures this Black Friday:
Tips for consumers:
Consumers should use well-established, trusted websites, which are much easier to find if you avoid shopping via search engines. Signs of flawed authenticity such as wording or formatting errors are symptomatic of fake websites.
Only shop on locations that are encrypted, demonstrated by the ‘https’ prefix in a retailer’s website and a padlock symbol in the browser.
It’s important to keep an eye out for phishing emails. These usually appear to come from a well-known brand and ask for personal or financial information – something a retailer would never normally do.
Consumers should avoid retailers that ask for payments via money order, pre-loaded money card or wire, methods often associated with scammers.
Tips for retailers:
To help detect fraudulent activity, retailers should monitor regular customers and the devices they normally use for purchases. If an alternative device is used, they can challenge the transaction with additional checks.
Retailers must ensure that they can gather enough transactional data, and therefore evidence, to prove the fraudulent nature of a transaction, or its validity in the case of ‘friendly fraud’. Tactics such as using e-signatures or voice verification can help keep high-value transactions secure.
It’s vital to be able to detect new accounts that have been opened on an online retail store that may be used for fraud purposes. This information can be hooked into shared real-time fraud databases to cross-reference known fraud data such as flagged delivery addresses and mobile numbers, as well as highlighting inconsistencies in sales transactions.
Stephen Ritter, CTO at Mitek:
“The National Retail Federation forecasts an increase in holiday sales over 2017, which may be good for the economy, but also may mean a spike in fraudulent activity for online shopping. Consumers need to remain extra vigilant when scoping out the best deals and discounts and only rely on reputable sites that they can trust.
“The good news is that most consumers are already more cautious when it comes to online interactions and aren’t afraid to take extra precautions when shopping online. In fact, 85% of consumers are more likely to interact with websites that have a ‘seal of approval’, indicating that they verified the identity of all users, versus sites that do not.
This festive season, consumers can protect themselves by checking to see if they are purchasing from a reputable site and actually going to the website itself instead of clicking through pop-up ads and emails. While it may take an extra step, it will save more time and headaches in the long run. Businesses that take the steps to protect consumers are ultimately the ones that will see the most action and ROI.”
Tatyana Sidorina, Security Researcher at Kaspersky Lab.:
“The recent incident, which caused the exposure of a large amount of client emails from a popular online shop, is worrying. Emails may seem a small matter compared to the theft of bank details or other data breaches, but this sort of information is in fact precious for scammers.
“It’s important to understand that any personal data can be used by cybercriminals to target their victims. For example, if criminals compromise a company and get hold of their customer’s email addresses, they can create an automatized spam mailout that mimics an authentic email, and entices users to follow a malicious link or download a malicious file onto their devices.
“Now is the time to be extra careful. The world is heading into the busiest shopping season of the year, starting with Black Friday, and people are hurrying to bag fast-disappearing exclusive deals from the tons of e-mails in their mailbox. It’s becoming quite common for people to thoughtlessly compromise their bank accounts by following a phishing link and entering their bank credentials. It’s all too easy to do so. In fact, our research shows that malware designed to steal data from online banking and payment accounts has extended its reach to target online shoppers: in the first eight months of 2018, we detected 14 families of malware like this, targeting 67 different popular consumer brands around the world, including big online retail platforms.
“Amazon sent out a warning as soon as the leak was exposed. And, although Amazon’s actions have been criticized for a lack of technical detail and a recommendation not to change users passwords, it’s great that company’s representative’s didn’t hesitate to warn their customers about possible threats, asking them to be on the lookout to minimize possible damage.”
To keep yourself safe from fraudsters this Black Friday, Kaspersky Lab recommends taking the following precautionary measures:
Always check the link address and the sender’s email to find out if they are genuine before clicking anything – very often phishers create URLs and e-mails that are very similar to the authentic addresses of big companies, yet differ from them with one or two letters.
To make sure you follow a correct link, do not click on it, but type it into your browser’s address line instead.
Do not enter your credit card details in unfamiliar or suspicious sites and always double-check the webpage is genuine before entering any personal information (at least take a look at the URL). Fake websites may look just like the real ones.
If you think that you may have entered your data into a fake page, don’t hesitate. Change your passwords and pin-codes ASAP. Use strong passwords consisting of different symbols.
Never use the same password for several websites or services, because if one is stolen, all of your accounts will be put at risk. To create strong hack-proof passwords without having to face the struggle of remembering them, use a password manager such as Kaspersky Password Manager.
To ensure that no one penetrates your connection to invisibly replace genuine websites with fake ones, or intercept your web traffic, always use a secure connection – only use secure Wi-Fi with strong encryption and passwords, or apply VPN solutions that encrypt the traffic. For example, Kaspersky Secure Connection will switch on encryption automatically, when the connection is not secure enough.
Javvad Malik, Security Advocate at AlienVault:
“For consumers, the biggest danger from retail cyberattacks is loss of personal information, such as their Social Security number, date-of-birth, and home address. This information can be used to take control of their assets as well as be sold on black markets like the Dark Web. The best advice for consumers is to more regularly monitor credit, debit and ATM card activity for fraudulent transactions and immediately report anything suspicious.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.