Consumers spent a record-breaking $7.4 billion on Black Friday online goods and this month millions of shoppers will continue to scour the internet and brick and mortar stores for the best deals available. Unfortunately, cybercriminals are also standing by to take advantage of the desire to cash in on increasingly attractive deals, creating tempting clickbait for unexpecting consumers.
The threat landscape has changed dramatically in recent years. Five years ago, running antivirus software, hovering your mouse over links in emails, and making sure your transactions were conducted on a secure site (with a padlock on it), was enough to ensure a safe shopping experience. That is no longer the case. To stay safe this holiday season, Proofpoint has compiled a list of the top six scams that shoppers may encounter.
Fraudulent SSL Certificates
Remember the days of knowing you were secure because you shopped only sites with an SSL certificate and a “padlock” on it? At the risk of telling you something you don’t want to hear – those days are over. Cybercriminals always, always follow the money. Because consumers prefer to spend money on “padlocked” websites, cybercriminals are also ensuring their sites have an SSL certificate (featuring the lock image).
Early in 2019 and continuing into Q3, Proofpoint began seeing a trend towards disproportionately high implementation of secure certificates on fraudulent websites, with over 3x as many fraudulent sites using SSL certificates as compared with all domain sites in Q3. In addition, 26 percent of fraudulent sites used an SSL certificate, up from 20 percent in Q1. For consumers trained to look for a padlock, this has opened an enormous vulnerability gap.
Point-of-Sale (POS) Malware
When shopping online you’re only as secure as the merchant from which you’re buying. We regularly see an uptick in POS malware every November. Malware that resides at the POS terminal can still scrape credit card data which can then be used for fraudulent transactions. While the widespread adoption of chip and PIN technology has reduced the effectiveness of some types of POS malware, fraudulent card-not-present transactions are still possible. Perhaps most alarming, new POS malware has emerged that can calculate authentication codes for chipped cards, making them vulnerable for future transactions. For consumers, the best protections include retaining physical possession of your card, and periodically reviewing your online merchants with access to your credit cards. Proofpoint has recently observed a spike in activity from the ZeusPOS POS malware, suggesting the group may be tooling up for the holiday season.
Social Media / Angler Phishing
While comment spam doesn’t swamp social media platforms like it once did, they can still provide an opportunity for cyberthieves to insert themselves in between you and the company you *think* you’re talking to. For example, if you take to Twitter to ask “@AcmeAnvils” about Cyber Monday, product returns or some other customer care function, you might get a response from @AcmeAnvilsDeals sending you a link to their “Holiday Deals site”. The problem is @AcmeAnvilsDeals might be fake, sending you links to a site that looks legitimate but is actually malicious.
Holiday-themed Scams and Threats
Holidays and major events provide limitless fodder for threat actors to create compelling lures and topic-driven email attacks. For example, last year we saw the threat actors behind the Emotet banking Trojan send a barrage of Thanksgiving-themed malicious spam. The emails contained either attached or linked documents claiming to be holiday themed e-cards. However, those seemingly harmless “e-cards” contained malicious code that installed Emotet.
While Emotet provides a high-profile and particularly dangerous example of a holiday-themed threat, seasonal lures abound. As with all email, recipients should never open attachments or click through links from unknown senders. However, because sender identities can be spoofed, recipients should simply avoid attachments and links if they have any doubts about their safety.
Holiday Deal Email Spam
While cable companies and other ISPs have made great strides in reducing titanic amounts of spam, some still gets through. And for bargain hunters, they can prove irresistible. To lure potential victims in, these emails often use stolen branding and tantalizing subject lines to prompt a clickthrough – often delivering them to pages filled with advertising, potential phishing sites, counterfeit goods and other malicious content. Like you’ve heard your entire life, if something seems too good to be true, it probably is.
Shipping Notification Scams
Be on the lookout for phishing emails that mimic shipping alerts from known brands. These messages often include familiar logos and language to fool recipients into thinking the emails are legitimate. In reality, they are designed to spread malicious software, steal money, and/or trick people into revealing their login passwords.
While attacks like these happen year-round, they often increase during the holiday shopping season – and play on our expectation of great holiday deals, big sales, and email blasts from retailers. Because phishing emails can closely resemble real notifications, it’s important to remain vigilant and carefully check all shipping alerts before clicking a link or downloading an attachment. Always log into trusted sites directly, rather than relying on potentially malicious links included in email messages.
Recommendations
While shopping this holiday season, be sure to be on the lookout for the above threats online and in-stores. The below tips from Proofpoint will help ensure a safe and secure shopping experience for all: