Black Friday will see millions of shoppers heading online to take advantage of deals, but it’s also a major target for cybercrime. So much so, that cyber criminals are starting to use tailored approaches to target individual retailers.
A common scam involves using stolen payment cards to buy both items and gift cards from selected retailers – including eBay, Nike, Best Buy, Dell, Samsung, Target and Walmart, says Rafael Amado, senior strategy and research analyst at Digital Shadows. He says criminals are using ‘carding’ tutorials, which are available for $20 to $30 “with specific modules dependent on the retailer they want to target”.
It’s a worrying trend, but this doesn’t mean having to avoid bargains altogether. Here are the top five threats to watch out for – along with some tips on how to stay secure.
This Black Friday, watch out for increased ‘phishing’ email attacks. Sam Curry, Cybereason CSO warns consumers not to open any attachments or click on links appearing to be from trusted vendors.
“Consumers should be careful of phishing attempts and if they see a good deal on an email, go directly to the store’s website to check,” Cath Goulding, head of cybersecurity at Nominet says.
As more people do their festive shopping online, an increasing number of phishing scams are disguised as parcel alerts or package tracking links, says Nick Shaw, vice president and general manager of Norton EMEA. “While these purport to be from legitimate logistics providers or major retailers, a quick look at the email address will reveal it’s from [email protected]”
In addition, Jake Moore, cybersecurity expert at ESET says: “Be very cautious of deals you see on Facebook, Instagram and so on – even if there are lots of ‘likes’ on the post. There are plenty of scams that take advantage of easily accessible and cheap social media advertising platforms.
“By giving unknown sites your credit card details without checking first, you could simply be giving a hacker all of your personal information. That hacker could take advantage of this and rinse your bank account or credit limit.”
Fake websites will no doubt pop up on Black Friday as criminals look to make the most of the shopping frenzy. ‘Ghost’ websites often look exactly like the real thing when they have actually been set up and run by cyber criminals, says Dr Guy Bunker, SVP of products, Clearswift.
This can happen when a user inadvertently types in the wrong address: “Is it Walmart.com, or Wolmart.com? Lookout for web addresses that are nearly the same as the one that you know to be right,” Dr Bunker says.
Shoppers need to be vigilant when buying something from the internet, he says: “Look closely at the address of the website and watch out for the padlock to see that it is secure.”
Be wary of downloading any holiday shopping apps, especially outside of Google Play and the Apple App Store, says Paul Bischoff, privacy advocate, Comparitech.com. “Bogus apps, like phishing websites, will try to trick you into entering personal information. They can also request permissions to gain deeper access to your files and device features. If an app belongs to a specific retailer, it should be listed as the developer.”
Raj Samani, chief scientist and fellow at McAfee, says last year saw more than 32,000 malicious Black Friday-themed apps spoofing the branding of global online retailers, according to RiskIQ data. “People need to be aware that these are used by criminals to trick shoppers into entering personal data such as credit card information, contact details and passwords. These apps can also trick consumers into downloading malware – and they’re available in legitimate app stores,” he warns.
He advises people to “stop and take the time to double check an app’s legitimacy before downloading”.
“Go to the retailer’s website on your mobile browser and look for a link to the app from their website. If a deal seems too good to be true, it often is: think before you click and always pay with a credit card when you can. They offer better protection against financial fraud than debit cards.”
Credential-stealing banking malware attacks
“We’ve seen credential-stealing banking malware attacks before, but these are now increasing in number,” says David Emm, principal security researcher at Kaspersky Lab.
“Whereas banking Trojans target mostly individuals of online financial services, some of these malware families are now hunting for data related to online shopping accounts. These Trojans intercept data entered on a shop’s payment page – meaning that cyber criminals are able to take advantage of consumers who are not aware that they are conducting transactions on an infected device.”
He says users need to secure the devices they use to shop online, apply updates to the operating system and applications as soon as they become available – and double check the integrity of an online retailer’s website before entering or downloading any data.
Search engine infiltration and malicious browser extensions
Alongside convincing phishing attempts, a commonly used method around Black Friday is search engine infiltration, says Shaw. This means that when someone searches for “top Black Friday deals”, malicious links may appear in search results. “When visited, these sites will either try to trick people into purchasing goods that are fake or do not ever arrive, or will download malicious software to a device.”
He advises users to “think before you click” and “definitely think before sharing any personal information”.
Fraudsters are also poisoning a variety of websites, online forums and social media platforms with fraudulent phone numbers to scam customers into divulging personal information, says Daniel Cohen, a director at RSA Fraud and Risk Intelligence.
“Perpetrators use a technique known as SEO poisoning to push false information to the top of internet search results. A recent example of this technique involves the publishing of fake customer care numbers alongside legitimate physical locations on Google Maps. Customers searching for business contact information are instead directed to a phone number operated by the fraudster.”
Another threat to be aware of is malicious browser extensions, says Pedro Fortuna, CTO at Jscrambler.“Although people use browser extensions to improve their experience, it’s opened a new door to malware, spyware, cryptocurrency miners, Facebook account hijackers and other malicious extensions that act in ways beyond their remit,” he says.
He thinks the real danger comes from the power that users grant extensions when they install them – including full permission to collect or modify any data exchanged on a website, such as destination account numbers, passwords and phone numbers.
“These extensions will seem apparently legit to the user but they have a hidden agenda. They act silently in the background — the user is not aware that anything is wrong with their browser.”
The best advice is not to use a credit card: instead use third-party payment systems such as PayPal, Google Wallet, Apple Pay or Wepay, experts say.“These payment solutions put a second layer of separation between your credit card information and the site you are doing business with,” says Corey Nachreiner, CISSP, CTO at WatchGuard Technologies.
Paul Vlissidis, technical director and senior advisor at NCC Group agrees. He says: “Using services such as PayPal, Visa Checkout or Masterpass – or even saving your card details on a well-known website – can be more secure than entering your information each time you make a purchase, as this can prevent online card skimmers from getting hold of your details as you enter them onto a payment page.
“Of course, this should be combined with the use of strong passwords – ideally based on at least three random words – and a password manager.”