Introduction
Every Internet shopper has encountered at least one online store selling “big ticket” items at unbelievably low prices. Users do not need to search far and wide for websites offering generous discounts and, in the process, may discover, that in many cases, such deals are too good to be true.
Unfortunately, despite their better judgement, many Internet shoppers choose a good deal over good sense.
That pursuit of a good deal often leads shoppers to encounters that involve replica products or merchants who are less than trustworthy. When browsing a local discount store, the shopper is put at very little risk – they get to handle the product and have the option to pay with the protections that come with being in a physical store. Online shoppers, however, do not have such control. Buying online requires shoppers to provide a considerable amount of personal information in order to complete the transaction. This characteristic of the ecommerce ecosystem exposes individuals to cyber threats that might cost much more than a pair of fake luxury sunglasses.
Personal Security Risks
Online shopping is now so commonplace that businesses of all shapes and sizes have an established ecommerce presence. Online shopping experiences are being streamlined so it is easier for shoppers to find products and have them delivered in as little time as possible. As a result, buyers are focused on getting what they need so they can move on with life; they pay very little attention to the actual product details, and focus even less on how much personal information they provide to the seller, all in the interest of having an expedited checkout.
In most online stores, a minimum set of personal details are generally required to complete a transaction, including the following:
- Full name
- Email (for receipt and contact)
- Shipping address (for either personal or gift deliveries)
- Password (when the user is associated with account)
- Bank card number, expiration date, type and security code
- Billing address
Additionally, it is not uncommon for many online stores to request even more data like date-of-birth, and answers to security questions for the account.
All of this data puts the shopper at risk, should it be used maliciously or be compromised by a third party. With this information, identity theft becomes easier; the personal information used as part of an online shopping transaction might be enough to provide an attacker with access to online banking or other sensitive services.
Think Twice Before Giving Away Information
Shoppers—whether they are consumers or representatives of large corporations—need to be aware of the risks they face when shopping online. Some risks they could face include:
- The website could be a scam, harvesting personal information and attempting to steal money.
- The website might look genuine, but could be selling fake products and delivering them to customers, while also selling their personal information to third parties.
- The website might operate on low budget, which implies little-to-no investment in security. Insecure websites can easily be compromised by hackers with ulterior motives. They might use the website to host malware, to host stolen data from other sites or to launch a phishing attack.
Save Your Money While Protecting Your Sensitive Information
Wandera’s Smartwire Labs has discovered numerous websites and apps that fail to protect sensitive information when being transmitted from a protected device. In some cases, the sites are intentionally malicious, while others are simply putting their users at risk by failing to take preventative steps to protect the data they collect
Figure 1 shows a screenshot of an online store selling fake glasses of a leading brand. The store is in no way affiliated with the company they claim to represent and, furthermore, none of the data collected is sent to the website in a secure way.
Figure 1
The store once accessible through (now seems to be moved to collected personal information from shoppers, which included:
- First, Last Name
- Password
- Address
- Phone Number
- Credit Card Number
- Credit Card Expiration Date
- Card Verification Value
- Credit Card type
As expected the credit card information was sent in cleartext as shown in the request below:
“POST /index.php?main_page=fec_confirmation&fecaction=process HTTP/1.1
Host: www.rbdosuper.com
Content-Length: 408
Cache-Control: max-age=0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin:
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer:
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8
Connection: close
securityToken=xxxxxxxx&dc_redeem_code=&shipping=flat_flat&shipping=flat_flat&payment=globalpaying&globalpaying_cc_card_type=VISA&globalpaying_cc_number=xxxxxxxxxxxxxxxx&globalpaying_cc_expires_month=xx&globalpaying_cc_expires_year=xx&globalpaying_cc_cvv=xxx&cardNo=&cvv=&expires_month=&expires_year=&mypretime=0&BrowserDate=&BrowserDateTimezone=&BrowserUserAgent=&comments=Awesome+%21”
Currently the domain is suspended, pointing to intellectual property infringement notice. (Figure 2)
Figure 2
Wandera Smartwire Labs encountered another website also selling fake sunglasses of another major brand. (Figure 3)
Figure 3
The above website accepts credit card payments as well, and sends all personal information in clear text, as demonstrated in Figure 4.
Figure 4
Do Not Fall Victim – Use Good Judgement
Online shoppers should use good judgement when looking for a good deal. Some risk indicators to look for when perusing online stores:
- The “About us” page doesn’t reveal any information about the company behind the website. Usually it is left empty or loops back to the home page.
- Simple search in the popular search engines returns different website and content in contrast.
- The owner of the website is using a service to hide their identity, when domain registration information is checked.
- Registered contact, technical and administrative email addresses are associated with free webmail services.
- The website has been registered recently and is less than a few months old.
- The website offering less expensive items has a popularity rank is very low when compared to one offering genuine products.
- The website is hosted within a company and country known for suspicious operations, usually in location very different from the targeted audience.
Remediation and Prevention
Users in general should be vigilant and take extra care before providing any payment information. It is advised that they take the following steps when dealing with an e-commerce website:
- Take care and if necessary get in contact with the owners before placing an order of value.
- Confirm the business address with the website owner.
- Check for any contact addresses/e-mails.
- Consult the “About-us” which gives a brief description of the company.
[su_box title=”About ” style=”noise” box_color=”#336588″][short_info id=’68402′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.