Online Shopping Scams and Why You Fall for Them
Checking email, logging onto Facebook and IMing with friends are all common activities people engage in during break time at the office. But today, social networking may take a backseat to online shopping for holiday gifts. Known as Cyber Monday, the first Monday after Thanksgiving is the day online retailers expect to see an uptick in activity as the population heads back to work, giving them access to work computers and, as a result, an opportunity to start holiday shopping.
According to the National Retail Federation, nearly 107 million people will shop online this Cyber Monday, up from 96.5 million last year. However, research released this month by ISACA, a non-profit global IT governance association, finds while the overall number of online shoppers may be up, people plan to spend less time shopping online from a work-supplied computer this holiday season than they did a year ago. The survey, "Shopping on the Job: ISACA's Online Holiday Shopping and Workplace Internet Safety Survey" finds people will spend about 6 hours shopping from a work computer or mobile device vs. 14 hours in 2009 (Related: Holiday shopping will strain security)
But online shopping is becoming an increasingly risky activity, said John Pironti, security advisor with ISACA and president of IP Architects. While people may spend less time shopping this year, the chances they take are riskier than ever.
"The bigger risk really comes to down to the fact that the adversaries have gotten smarter and better in attack methods and users aren't heeding warnings as much as they used to," said Pironti. (Also see: Social Engineering: The Basics)
Pironti laid out three schemes he predicts users will fall for while shopping this year -- opening up their employer's network, and data, to possible breach.
Scam links on Facebook, Twitter and other social media sites
ISACA's research finds 42 percent of users report accessing social network sites like Facebook from their work-supplied computer or mobile device. If that 42 percent is interested in holiday sales and shopping, they might just be vulnerable to fake links claiming to have information about great discounts.
"We've seen a tremendous uptick in the use of social networking as a portal to transmit bad links," said Pironti. "The hacker community is really taking advantage of the fact that they are able to exploit trust in social networking to have users clicking on their false links."
This year, expect to see fake sites set up by criminals who then send out links about sales and deals which lead to malicious sites, said Pironti. He also says be wary of links from friends claiming to tip you off to a great coupon or sale. Ditto for any link that promises you can win a free iPad, the hot item this year that criminals are using as bait.
Smishing, the technique of using SMS to 'phish' sensitive information from victims, or infect their device with malware, will be hot among the criminal set this holiday season. This year's ISACA survey found that almost half, 47 percent, of those who will be shopping online with company devices will do so using a portable device, such as a notebook computer, tablet or smart phone. But tolerance of corporate controls on mobile devices is growing thin, said Pironti. Instead users are using their own personal devices for work-related business in order to circumvent company policy. Smishing messages often include malicious links and users that fall for them risk infecting their employer's network, too.
"You're seeing a vector of attack on a device that isn't as nearly as well-protected as some of the corporate infrastructure," said Pironti "We are seeing much more use of personal devices these days. And we know very few people with smartphones dont have data plans. What they are doing is essentially creating a bridge between their personal device and their employer. If someone downloads an infected file from an SMS, it could potentially be introduced into their company's network."
Out-of-date browser technology is still a problem in many work environments, said Pironti. Users who have failed to install the newest browsing capabilities are at much bigger risk of landing on a malicious site after a simple typo. One slip on the keyboard could bring you to a site like 'Maky.com' when you are really looking for Macy's site or 'iBay.com' instead of eBay, said Pironti. Often sites with an address that is one letter off from a popular, legitimate site will be designed to look like the site you intended to go to, but instead is filled with bad links.
"Older browsers just aren't as good as filtering that stuff out," he said. "If you are using more current versions, they have built better sandboxes, they have built better controls. We have better ways of detecting these things. But the owness is on user to stay up to current state. A lot of people don't --unfortunately."