The holiday season signals the time of year when consumers are often at the highest risk of falling victim to hackers and scammers whose schemes can fool even the most experienced online shoppers. This infographic advises web merchants and consumers on how to avoid Black Friday and Cyber Monday attacks.
Security Advice for Web Merchants, and Advice for Consumers
November 2010, the Google search term “cyber Monday deals” saw a 400% increase in the number of search requests
Hackers know this and prey on popular keyword searches like “jewelry” and “toys”. They create fake sites where they can steal your personal information and credit card numbers.
Go with sites you know: or if you’re not familiar, ask someone you can trust or do some more research before you decide
*shown for illustration purposes only newegg.com is not selling the iPad2 at that price
Shoppers trying to save some money by searching for Leaked Black Friday Ads are a perfect target for scammers.
Security experts discovered “polluted” results appearing in search engine results for holiday shopping-related terms in advance of 2010 Black Friday sales, the company said. These links take users to a malicious site that tricks users into downloading malware – SonicWall UTM Research
Legitimate looking Malicious Link - SonicWall identified a two-pronged attack, varying by the user’s browser type.
Internet Explorer – Fake virus/ malware notification
Firefox – Fake flash player update
Installed Malware Spyware
Compromised search terms included
“Walmart Black Friday Sales 2010”
“Best Buy Black Friday2010 Deals” – was used to push fake antivirus software called Internet Security Suite”.
Varying the malware attack based on the browser the user is using is a common tactic.
The attacker is “maximizing the number of potential victims” by “customizing” the behavior to browser-specific vulnerabilities
80% of online sales occur in the 4 weeks between black Friday and the weekend before Christmas.
These 4 weeks are also the biggest weeks for the scammers & spammers as well
The scammers are coming
Spam Emails – Are going to be coming in greater volume and more frequently. Spammers are getting more sophisticated in their approach and bypassing spam filters.
Freebies – May be freebies in the sense that you get free malware. – Jamz Yaneza (Trend Micro),/li>
Hottest Toy This Season – advertised in a spam e-mail blast for much less than the typical price. Victims end up entering credit card information on malicious sites designed to look like well known trusted ones. They might also unknowingly download a keylogger.
Security for Web Merchants
Update your system software – If it’s a LAMP server, upgrade your Linux kernel, make sure Apache and PHP are up to date, install an updated mod_security rule set, etc.
Remove any old software – If you installed a forum to test out, or tried a different shopping cart and then forgot about it, make sure you remove those now.
Upgrade any front end software – For example your shopping cart software, blog, or forum if you have one, etc.
Use a PCI compliant checkout system – If your site accepts payments online, consider outsourcing your checkout process to a PCI compliant provider like Google Checkout or PayPal.
Scan your web applications – There are numerous free and paid web app scanners that report potential security vulnerabilities.
If you’re not familiar with how to do the above, contact your hosting provider for assistance.
After you think everything is ready to go, SCAN AGAIN!
Another thing you can do as a merchant is help educate your customers on good security practices.
This is something that can’t be said enough.
Remind your customers that ou do not send e-mails with attachments.
You will never ask them for any personal or billing info via an email.
Let your customers know you always send your promotional email from the same email address (example: [email protected]).
Advice for Consumers
Update your software – Security experts recommend making sure your operating system, web browsers and security software are up to date and secure browsing is enabled.
Browse encrypted if possible – CyberDefender suggests sing encrypted search, such as Google SSL (https://www.google.com), instead of classic Google (http://www.google.com). “Look for the padlock icon or a URL that starts with https://,” Lavasoft said. “That means your session is encrypted.”
Use caution with public wi-fi – DON’T eagerly use public wi-fi. Be aware that anything you do on public wi-fi networks can be seen by others.
Firewall & strong passwords – Security experts note having a firewall and complex passwords can provide an extra level of protection against cybercrime.
up to date virus scanner – with the increase in malware, its also important to have an up to date virus scanner.
Don’t jump at the deal- When you get an amazing offer via e-mail think twice before clicking. If a deal seems too good to be true – it probably is (example: you can’t buy the iPad 2 for $99 and get the second one for FREE).
Fergal Glynn joined Veracode in 2008. Fergal is currently responsible for lead generation activities including content marketing, blogging, search engine optimization, webinar marketing, social media, and optimizing the marketing and sales funnel. Fergal spent his first two years at Veracode as a Product Manager.
Love to learn about Application Security?
Get all the latest news, tips and articles delivered right to your inbox.
Veracode is a leading provider of enterprise-class application security, seamlessly integrating agile security solutions for organizations around the globe. In addition to application security services and secure devops services, Veracode provides a full security assessment to ensure your website and applications are secure, and ensures full enterprise data protection. Application protection services from Veracode include white box testing, and mobile application security testing, with customized solutions that eliminate vulnerabilities at all points along the development life cycle.