The holiday season is well underway and so is the shopping frenzy. In an effort to avoid the crowds and save time, many consumers are turning to online shopping. In fact, Adobe’s new, “2015 Holiday Shopping Report,” finds that online shoppers will spend $83 billion dollars this year (up 11 percent from last year), an average of $305 each. That means more than 270 million shoppers will be making purchases online. But as they scour the web for a great deal on that hot new gadget, must-have toy, or latest fashion trend, hackers are also ‘shopping’ for opportunities to launch attacks and collect data they can monetize.
We all know that while hackers are increasingly sophisticated, they are also savvy. They take the path of least resistance to get the job done. Adobe’s research indicates that during the holidays a mere one percent of products, typically electronics and gift cards, drive a whopping 76 percent of online holiday sales. That makes it pretty easy for hackers to focus their malvertising, social media, and email spam campaigns on products that are most likely to attract shoppers’ interest and, thus, increase their chances of success.
Malvertising victims are infected with malware in the course of their normal Internet browsing, either by clicking on an advertisement that directs them to a website that distributes malware, or by a drive-by download without stopping to click or accept any software. In this case an active technology such as Flash or Silverlight is incorporated into the ad, seamlessly redirecting visitors to websites that host exploit kits that push a ‘dropper’ to infect vulnerable systems. Never having clicked on an ad, shoppers have no idea where or how they were infected.
Display ads on social media apps can also host malware. Typically these ads do not incorporate active technologies that can execute a drive-by attack. Using this technique, cybercriminals rely on shoppers to click on these ads that appear to be legitimate but actually direct them to malicious websites.
Email spam uses social engineering tactics to appear to come from well-known online shopping sites and delivery services from whom users commonly receive messages. These emails may include a trusted name and a logo and a call to action that is familiar to recipients, such as a notice about a recent order, or a delivery tracking number. Well-planned and careful construction provides a false sense of security, enticing recipients to click on malicious links contained in the email.
In their holiday report, Adobe also expects that the use of mobile devices for browsing and shopping will continue to rise. Confirming this prediction, Walmart.com said last week that in the few days after Thanksgiving almost half of its orders had been placed through mobile devices – nearly double the amount during the same period the previous year. Mobile traffic now accounts for approximately 70 percent of traffic on the retailer’s site. Shoppers increasingly use their smart phones to compare prices even while in a store. Or they’ll multi-task, taking advantage of a great deal they can’t afford to miss while attending one holiday gathering after another. Unfortunately, most mobile devices don’t possess the ability to block most threats. Part of the problem is that many of these devices haven’t been updated with the latest version of the operating system. Because they lack the security updates for today’s most widespread and persistent threats, they provide hackers with yet another easy path to profit.
So what to do? As an immediate step, there are some best practices that everyone should employ. First, shoppers need to think before they click. Rather than instinctively clicking on display ads or replying to social media promotions or email offers, the safest way to shop this holiday season is by purchasing goods directly from the merchant’s website. Shoppers should also update their operating systems and software on mobile and non-mobile devices to current versions to ensure they have the latest security updates.
On the technology side, all devices should use some sort of ad-blocking software or plug-in to protect against the threat of malvertising. In addition, secure web and email gateways can protect against illegitimate websites and false holiday deals propagated through spam. Finally, advanced malware protection at the network and endpoint can identify threats that are particularly stealthy and bypass these other security layers.
Let’s take the joy out of the holidays for hackers. With increased awareness and a deeper understanding of how attackers go about their ‘shopping’ we can take some relatively simple baseline measures that can go a long way toward protecting against cybercrime this time of year.