security news

Consumers
stumbling to the couch in a turkey-induced coma with their laptop or phone in
hand ready to hit the cyber-holiday sales are not alone in being targeted by
cybercriminals.

Retailers and
businesses also may be affected by the dramatic increase in malicious threats that
target shoppers looking for buys on Black Friday and Cyber Monday. This can
include being hit with ransomware and having to make the decision whether or
not to pay up or risk losing sales during the busiest shopping period of the
year.

For
retailers much of the damage done may be to their reputation as malicious actors
generate hundreds of brand and website-specific email scams and fake websites
designed to confuse and entice anxious shoppers.

A study by
Zerofox’s Alpha Team has already identified 61,305 potential scams spread across
26 brands. Brick and mortar retailers are the primary focus with 92 percent of
the campaigns spotted using a store brand in some manner.

“Scammers
likely target brick and mortar retailers in such high quantities because these
kinds of scams will be attractive to a larger pool of consumers and thereby
potential victims. Fewer consumers are in the market for luxury goods and high-end
jewelry than are shopping at large brick and mortar stores that appeal to
multiple price points. Brick and mortar stores also carry a wide range of
goods, from electronics to jewelry, versus stores that only sell one kind of
good,” the report
stated.

The threats
are generally centered on email campaigns that use the one lure every shopper
is interested in, something for nothing. This is usually in the form of a gift
card or coupon, but to obtain these items the shopper/victim is required to
enter some level of information, at the very least an email or physical
address.

The
permanent members of Santa’s naught list also use social media to attract victims.
This is done by creating fake accounts and then loading posts with hashtags
designed to catch a shopper’s eye, such as #blackfriday or #cybermonday.

Some of the
more technical threats involve typsquatting or  creating domains based on popular shopping
sites like Amazon, Apple and Target.

“ZeroFOX
Alpha Team found 124,000 domains that contain the brand name out of the list of
26 selected for this report. The team filtered the 124,000 domains by
Certificate Issuer for legitimate domains,” the security company said.

The massive
uptick in internet traffic also presents an opportunity for attackers and a
danger to corporate entities whose workers may use either company equipment or
its network to make purchases. Tim Erlin, vice president of product management and strategy at Tripwire,
cited a recent Tripwire Twitter survey that found 84 percent of security
professionals are concerned there is not enough security awareness for
consumers to keep them safe online during the holiday shopping season.

“For
businesses, there are two ways to look at cyber risks around Black Friday. The
first is that, simply because it’s a busier time and more money is flowing
through their systems, attackers will be more likely to target them, hoping for
the busyness to serve as a diversion. The second way to look at it is from an
employee perspective: staff may be shopping online from business-owned assets,
thus potentially opening them up to Black Friday scams. For this reason, it
would be worth it for business to focus on education and training on how to
recognize scams and phishing attempts,” Erlin said.

Then there
are the direct threats to business. A retailer, delivery company or distributor’s
worst fear is not being able to operate during this time.

“Ransomware
and other types of malware are also a concern for businesses around this time
of the year. Those that are targeting the business itself ultimately just want
the organization to pay the ransom, which can be avoided by having good
incident response measures in place and secure, up-to-date backups,” Erlin
said.

In addition
to being shut down another huge potential headache is discovering credit card
skimming malware like Magecart residing in a chain’s POS system, noted a Sucuri
study. It could also mean a retailer could be held liable for any fraudulent charges
made on a customer’s card in cases where the cards was not present for the
purchase.

“New
consumer habits, such as buy online, pick up in store (BOPIS), now allow
customers to pick up products at a physical locations after purchasing them on
the retailer’s website – so these transactions become classified as
card-not-present. Unfortunately,
there are still retail merchants that have little to no authentication process
for in-person pickups, making them likely targets for abuse due to a lack of
security controls,” Sucuri said.

There are steps e-commerce
sites and retailers with an online presence can take to protect themselves not only
during the holiday season, but all year long, said Kaspersky.

• Use
  a reputable payment service and keep your online trading and payment platform
  software up to date. Every new update may contain critical patches to make the
  system less vulnerable to cybercriminals.
• Use
  a tailored IT and cybersecurity solution to protect your business and customers.
• Pay
  attention to the personal information used by customers who buy from you. Use a
  fraud prevention solution that you can adjust to your company profile and the
  profile of your customers.

The post Black Friday, Cyber Monday scams are on the loose, businesses need to prepare appeared first on SC Media.