Tomorrow is Thanksgiving, which means only one thing—the glorious chaos we call the Holiday Shopping Season will soon be upon us. Holiday shopping also means a spike in online scams, fraud, and malware, so you need to be aware of the risks and threats, and exercise some common sense to avoid a cyber-Grinch incident.
Intrepid shoppers will line up for Black Friday deals that have spilled over to Thanksgiving Thursday. You can now start your Black Friday shopping between the turkey feast and the pumpkin pie, before the football games are even over on Thanksgiving Day. The definition of “Friday” aside, holiday shopping will officially be underway. Black Friday will be followed by Cyber Monday, and many shoppers will turn to their mobile devices to find great deals, so it’s primetime for cybercriminals.
Rising threat of mobile scams and malware
Black Friday is generally an in-person, brick-and-mortar-store shopping experience, but competition from online retailers and Cyber Monday, combined with the explosion of connected shoppers armed with mobile devices, has changed the game. A report from iovation, a mobile device security and reputation management company, claims that online retail transactions from mobile devices have increased 300 percent over last year. Mobile transactions accounted for nearly one in ten purchases in the most recent quarter, and that number is expected to spike up for holiday shopping.
Gartner predicts mobile payments will skyrocket through 2016—with an average annual growth of 42 percent for both transaction value and volume each annually. Gartner analyst Avivah Litan estimates that fraud will account for 1.5 percent of mobile transactions. That may not sound like much, but when you’re talking about millions of transactions, that 1.5 percent equates to tens of thousands of fraudulent transactions.
For the 2012 holiday season, Gartner warns: “Criminals will start attacking mobile devices, primarily by dropping malware hidden in applications that users download to their mobile phones. There is a difference in the level of vulnerability across mobile operating systems, and some mobile app stories are more diligent when it comes to screening.” That last part is essentially code for, “Android is at greater risk of malware attacks than iOS.”
Think twice before you download and install apps—especially new apps designed to help with holiday shopping. Pay attention to the reputation of the developer and the user reviews of the app itself, and when you install it look carefully at the permissions being requested and abort if your new app seems to require suspicious access to your mobile device.
Use caution when shopping the Web
Whether you’re trying to take advantage of online deals on Black Friday, or fighting the online “crowds” on Cyber Monday, your Web browser is a primary target for holiday cyber attacks.
One common technique of fraudsters is to send out fake emails about cancelled orders or failed deliveries. F-Secure, an antivirus and computer security vendor, explains, “This bait will then entice many to click on a malicious link provided within the email, directing the person to a malicious exploit, commonly referred to as a "Blackhole exploit."
These scams occur throughout the year as well, but during the holiday shopping season there is a much higher chance that you have actually ordered something or are waiting for a package to arrive, so it’s much easier for attackers to catch you off guard.
While fake emails still frequently contain red flags like obvious spelling and grammar errors, cyber criminals are getting better at making emails and spoofed websites that are virtually identical to the real ones. Your first line of defense is simple: Never (I repeat, never!) click on the link within the email itself. F-Secure recommends that you go to the retailer or shipper website directly, and log in to verify or track your order.
Unfortunately, fake emails with malicious links are not the only thing you have to worry about. The Web browser is the one of the most commonly used tools across all computer and mobile device platforms, and attackers know it. A recent report from Kaspersky Labs found that nearly one in four browsers in use are out of date—and therefore potentially vulnerable to known exploits.
A blog post from Qualys CTO Wolfgang Kandek agrees that out of date browsers put users at significant risk, but adds that the weak link is often a vulnerable plug-in or extension running within the browser. “Our research shows that the worst plug-in is Java, installed on 82 percent of all tested machines, with over one third of all installations vulnerable, closely followed by Adobe Flash, which is installed on over 67 percent of all tested computers, with 24 percent left vulnerable.”
Attackers can sometimes craft an exploit for a disclosed vulnerability in a matter of hours. It’s always important to keep your browser and plug-ins up to date. As you venture online for holiday shopping, it is particularly crucial that you first make sure your software is fully patched, and that your antimalware software is up to date.