The holiday season has become an unbridled online spending extravaganza, and threat actors have taken notice. For shoppers, what starts out as an attempt to fulfill their holiday shopping checklist for pennies on the dollar can turn into a financial nightmare. For brands, what begins as an event that significantly boosts sales can turn into a security fiasco that erodes the trust between them and their customers and prospects.
Cyber Monday 2017 was the largest online shopping day in history and was mobile’s first $2B day. In 2018, consumers are poised to spend $23.4 billion online during this year’s Thanksgiving holiday weekend, up 19.4% from the same period in 2017. Cyber Monday will again be the biggest online shopping day in history, with $7.8 billion in e-commerce sales.
To capitalize on this influx in spend and site traffic over the holidays, threat actors implement innovative techniques to fool users meant to intercept payments, steal credit card data, phish for sensitive information, and siphon traffic.
You can count on these cybercriminals spinning up fake and malicious web pages and mobile apps related to holiday shopping sales, often leveraging the branding of top e-commerce brands fraudulently. These assets are purpose-built to fool users into entering credit card information, opening them up to potential financial fraud.
Some fake apps contain adware and ad-clickers, or malware that steals personal information or locks the device until the user pays a ransom. Others encourage users to log in using their Facebook or Gmail credentials, exposing sensitive personal information. Malicious web pages often hide in plain sight, using brand names in malicious subdomains or commonly misspelled versions of those names in typosquatting domains to fool people into visiting pages that phish victims, infect them with malware, or redirect them to other malicious or fraudulent pages.
This year, the rise of Magecart, several groups of digital credit card-skimming actors with ties to Russia, adds a new layer of gravity to the holiday shopping cybercrime landscape. Magecart is responsible for large-scale breaches that stole thousands of customer credit cards from sites such as Ticketmaster, British Airways, and Newegg. Newegg was one of the top-10 most trafficked sites in the U.S. over Thanksgiving Weekend 2016 according to Adobe.
If you’re visiting a top e-commerce site this holiday shopping season, it’s crucial to pay attention to detail while shopping online and be aware of your surroundings – there are usually clues that can help you identify something potentially malicious, like an app that requests too many permissions, or permissions that have nothing to do with its purported function. As a brand, it’s important to realize that there are actors out there leveraging your branded terms to target your customers and prospects. It’s up to you to have visibility into the way your brand is being used across the internet so you can help protect your customers and preserve their trust.
Fortunately, there are ways to help reduce digital risk during this holiday shopping season:
1. Ensure that you are only downloading apps from official app stores such as Google or Apple, and be wary of applications that ask for suspicious permissions, like access to contacts, text messages, administrative features, stored passwords, or credit card info.
2. Just because an app appears to have a good reputation doesn’t make it so. Rave reviews can be forged, and a high amount of downloads can simply indicate a threat actor was successful in fooling a lot of victims. Before downloading an app, be sure to take a look at the developer—if it’s not a brand you recognize or has a strange appearance or spelling, think twice. You can even do a Google search on the developer for more clues about its reputation.
3. Make sure to take an in-depth look at each app. New developers, or developers that leverage free email services (e.g., @gmail) for their developer contact, can be big red flags—threat actors often use these services to produce mass amounts of malicious apps in a short period. Also, poor grammar in the description highlights the haste of development and the lack of marketing professionalism that are hallmarks of mobile malware campaigns.
4. Check website addresses after following links on Twitter, Facebook, or other social media channels to be sure you end up on the correct website of the retailer you want.
5. Look for the “S” (the lock) in HTTPS when you visit shopping sites. Beware of shopping sites that do not use HTTPS in their website addresses or do not display the symbol of a lock next to the web address. Secure sites use HTTPS and, without that, you’re dealing with unsecured connections or weak encryption of personal data.
6. If possible, only use credit card information saved in your online shopping account as a payment method. This way, you can bypass typing in your credit card information to avoid it being intercepted by Magecart actors.
7. If you do provide your credit card information, make sure you are in a secure online shopping portal. Sites that ask for it in return for “coupons” or to win “free” merchandise are almost always scams. Also be sure not to provide too much information—sites don’t need your social security number or birthday to make a transaction.
8. Keep a close eye on your bank and credit card statements so you can quickly dispute any suspicious charges. Don’t wait for your bill to come at the end of the month—regularly check your electronic statements for your credit card, debit card, and checking accounts.
Threat actors leveraging significant events, news, and fads as a way to social engineer victims into clicking their links, downloading their apps, or visiting their sites is nothing new and will continue to happen. With the huge increase in traffic to major e-commerce sites over the holiday shopping season and the sheer amount of money these consumers intend on spending, it’s not surprising that criminals spin up these fake apps and infrastructure.
Buyers need to be aware of the dangers they and their families face while shopping for the holidays—if you’re visiting a top e-commerce site or app, threat actors know that you’re planning on spending money, and very likely more money than you usually spend. Meanwhile, online retailers should also heed these warnings to better protect their reputation and extend protection to their consumers. With online fraud, data leakage, and ransomware on the rise, online retailers have ample reason to redouble their focus on how their brands are being used fraudulently by external threat actors across the internet and global mobile app ecosystem to target their customers.
Both consumers and brands can both make sure they’re doing their part to make sure these cybercriminals leave with nothing but coal in their stockings.