stumbling to the couch in a turkey-induced coma with their laptop or phone in
hand ready to hit the cyber-holiday sales are not alone in being targeted by
businesses also may be affected by the dramatic increase in malicious threats that
target shoppers looking for buys on Black Friday and Cyber Monday. This can
include being hit with ransomware and having to make the decision whether or
not to pay up or risk losing sales during the busiest shopping period of the
retailers much of the damage done may be to their reputation as malicious actors
generate hundreds of brand and website-specific email scams and fake websites
designed to confuse and entice anxious shoppers.
A study by
Zerofox’s Alpha Team has already identified 61,305 potential scams spread across
26 brands. Brick and mortar retailers are the primary focus with 92 percent of
the campaigns spotted using a store brand in some manner.
likely target brick and mortar retailers in such high quantities because these
kinds of scams will be attractive to a larger pool of consumers and thereby
potential victims. Fewer consumers are in the market for luxury goods and high-end
jewelry than are shopping at large brick and mortar stores that appeal to
multiple price points. Brick and mortar stores also carry a wide range of
goods, from electronics to jewelry, versus stores that only sell one kind of
good,” the report
are generally centered on email campaigns that use the one lure every shopper
is interested in, something for nothing. This is usually in the form of a gift
card or coupon, but to obtain these items the shopper/victim is required to
enter some level of information, at the very least an email or physical
permanent members of Santa’s naught list also use social media to attract victims.
This is done by creating fake accounts and then loading posts with hashtags
designed to catch a shopper’s eye, such as #blackfriday or #cybermonday.
Some of the
more technical threats involve typsquatting or creating domains based on popular shopping
sites like Amazon, Apple and Target.
Alpha Team found 124,000 domains that contain the brand name out of the list of
26 selected for this report. The team filtered the 124,000 domains by
Certificate Issuer for legitimate domains,” the security company said.
uptick in internet traffic also presents an opportunity for attackers and a
danger to corporate entities whose workers may use either company equipment or
its network to make purchases. Tim Erlin, vice president of product management and strategy at Tripwire,
cited a recent Tripwire Twitter survey that found 84 percent of security
professionals are concerned there is not enough security awareness for
consumers to keep them safe online during the holiday shopping season.
businesses, there are two ways to look at cyber risks around Black Friday. The
first is that, simply because it’s a busier time and more money is flowing
through their systems, attackers will be more likely to target them, hoping for
the busyness to serve as a diversion. The second way to look at it is from an
employee perspective: staff may be shopping online from business-owned assets,
thus potentially opening them up to Black Friday scams. For this reason, it
would be worth it for business to focus on education and training on how to
recognize scams and phishing attempts,” Erlin said.
are the direct threats to business. A retailer, delivery company or distributor’s
worst fear is not being able to operate during this time.
and other types of malware are also a concern for businesses around this time
of the year. Those that are targeting the business itself ultimately just want
the organization to pay the ransom, which can be avoided by having good
incident response measures in place and secure, up-to-date backups,” Erlin
to being shut down another huge potential headache is discovering credit card
skimming malware like Magecart residing in a chain’s POS system, noted a Sucuri
study. It could also mean a retailer could be held liable for any fraudulent charges
made on a customer’s card in cases where the cards was not present for the
consumer habits, such as buy online, pick up in store (BOPIS), now allow
customers to pick up products at a physical locations after purchasing them on
the retailer’s website – so these transactions become classified as
there are still retail merchants that have little to no authentication process
for in-person pickups, making them likely targets for abuse due to a lack of
security controls,” Sucuri said.
There are steps e-commerce
sites and retailers with an online presence can take to protect themselves not only
during the holiday season, but all year long, said Kaspersky.
a reputable payment service and keep your online trading and payment platform
software up to date. Every new update may contain critical patches to make the
system less vulnerable to cybercriminals.
a tailored IT and cybersecurity solution to protect your business and customers.
attention to the personal information used by customers who buy from you. Use a
fraud prevention solution that you can adjust to your company profile and the
profile of your customers.
The post Black Friday, Cyber Monday scams are on the loose, businesses need to prepare appeared first on SC Media.
months after DiBella’s Old Fashioned Submarines was notified by the FBI and
credit card companies of a data breach the sandwich shop chain has issued a
notice informing its customers of the incident.
reported its stores in Connecticut, Indiana, Michigan, Ohio, New York and
Pennsylvania may have had the information on as many as 305,000 payment cards
compromised. DiBella’s said it was informed by the FBI and its credit card
firms on August 27, 2018 of the data breach and that Fin7 were the likely
actors behind the attack gaining access to the company’s payment card data and
of the locations were victimized between March 22, 2018 and December 28, 2018
with its Cranberry, Penn. store possibly being hit as early as September 2017.
The customer data involved included individual names, payment card numbers,
expiration dates, and CVV numbers, DiBella’s
has not yet returned an SC Media inquiry into why the company waited until now
to disclose the issue.
does not know which individuals were impacted and said it has not received any
customer complaints about their payment cards being misused. But it is warning
anyone who visited the locations in questions to
aka the Carbanak gang, were caught by law enforcement starting in January and
June of 2018. In August 2018 the U.S. Department of Justice made public arrests
of the three Ukrainian men who allegedly were key players in the cyber gang. However,
the arrests did not stop other members of the gang from continuing their activities.
notice said the malware found on the company’s system ties the attack to Fin7.
The post Fin7 behind DiBella’s data breach affecting 305,000 cards appeared first on SC Media.
The Catch Hospitality Group is notifying customers of its New York City restaurants of a POS malware incident that may have compromised their payment cards.
Catch NYC (including Catch Roof) and Catch Steak had payment card skimming malware injected into the POS systems in use at the restaurant bars that searched for track data which could include cardholder’s names, card number, expiration date and internal verification code. The mobile POS devices the wait staff uses at the tables were not affected as these use point-to-point encryption to communicate with the corporate payment network, Catch reported.
The issue at
Catch NYC (including Catch Roof) lasted from March 19, 2019 through October 17,
2019 and at Catch Steak from September 17, 2019 through October 17, 2019.
security firm has removed the malware, which was not named, and enacted additional
Catch did not reveal when the malware was discovered.
The post Catch NYC, Catch Steak hit with payment card skimming malware appeared first on SC Media.