While visions of holiday shoppers dance in retailers’ heads, those visions are also on the minds of online marauders.
‘Tis the Season for Online Predators
Net predators are sticking to scams that have made them money throughout the year.
“Over the last 12 months, we’ve seen a return to attachments with innocuous macros in them,” said Kevin Epstein, vice president of advanced security and governance at Proofpoint.
“Macro attacks are a sort of Back to the Future moment,” he told TechNewsWorld.
Unlike macro attacks in the past, though, these are sophisticated, multistage sorties.
Opening a Back Door
For example, a target will receive an invoice with blurred text. It’s blurred for security reasons, the target is told, and the person is instructed to click on the image to activate a macro that will clarify it. The target looks at the invoice, then closes it.
All the while, the macro activated to clarify the text downloads another file. That file won’t harm its host — so it won’t raise any alarms from defense systems — but it downloads a third file that will do harm.
“We have reached a level where criminals are burying their code deeper and deeper to prevent gateway systems from finding it,” Epstein said. “Technology has improved to fool the guards at the gate so you can speak to a person who will open the back door for you.”
Order confirmations are also a fertile target for cyberthieves at this time of year.
“If you get an order confirmation for something you don’t think you ordered, don’t click on anything,” Epstein warned. “Every single link in it will infect you.”
Beware of Friendly People
If you can’t remember if you bought something, Epstein advises going to the retailer’s website and entering your confirmation number, or calling the customer support phone number at the website.
“Do not trust the phone number in the confirmation email. Those numbers don’t go where you think they go,” he cautioned.
“If you call the phone number, there will be some very helpful people on the line who will offer to track your order for you. All they need is your credit card number,” Epstein continued.
You’ll also find some friendly folks at the bogus customer service sites popping up at this time of year.
Fraudsters “watch customer service interactions, and as a bank’s or airline’s customer service goes offline for the day, you’ll see a customer service agent coming from a slightly different Twitter or Facebook account reaching out to you and asking, ‘Did that issue get resolved?'” Epstein said.
“Beware of excessively friendly people,” he warned.
A Time for Extortion
Alert scams also are appearing more often. The alerts declare that your computer has been infected with malware and recommend you go to a website or call a toll-free number for assistance. Often, the result is an infected computer, stolen personal information, and an extortion demand that must be paid if you ever want to seen your data again.
“It’s getting more common to pop up an alert on a Web page,” said Andrew Sudbury, CTO of Abine.
“It’s not new, but I feel like I’m seeing it more than I did last year,” he told TechNewsWorld.
Ransomware continues to be popular. With so much shopping being done online, being denied online access unless you cough up some bitcoins to regain control of your computer can be particularly painful at this time of year.
It can be painful for businesses, too.
“There’s been an uptick of extortion against businesses. It’s something that has a lot of momentum to it,” said Joe Loveless, senior security services manager at Neustar.
“These are rogue organizations that contact businesses and say, ‘Pay us X amount in bitcoin and we won’t attack you.’ We saw some recent examples where companies had paid and were attacked anyway,” he told TechNewsWorld
“At this time of year, companies don’t have a lot latency to deal with it, so it can be very problematic,” Loveless added.
Data thieves also are expected to target mobile phones this holiday season.
“There’s this prevailing wisdom out there than a mobile phone is safer. Even apps that are legitimate apps can be compromised if you use the wrong website,” Proofpoint’s Epstein said.
“There are many free apps out there that pretend to be one thing and may do other things,” he added.
“You may want to open your browser and type the developer’s name into a search engine to see if it has a real website, not just a Twitter feed,” Epstein said.
In addition, when you launch an app, a screen will pop up displaying what the app wants permission to do on your phone. Take the time to read that screen, because the app can be asking to do things unrelated to its core functions.
“The classic example is the flashlight app, which, when you install it, wants permission to access your address book,” Epstein noted. “It’s a flashlight app. Why does it want access to your address book?”
Damper on Shopping Sprees
In the brick-and-mortar world this holiday season, consumers using payment cards will have an extra layer of protection. Most of them have been issued cards that have a chip on them to secure transactions performed with the plastic.
“The credit card industry is rolling out more secure physical credit cards, but they’re not doing anything yet for online transactions,” Abine’s Sudbury said.
“If someone steals your credit card number, it’s harder for them to make a physical duplicate of the card and use it at a Sears or Target, but these days, most of the credit card fraud appears to happen online where that chip doesn’t help you at all,” he added.
Some credit card issuers have sought to curb online credit card fraud by allowing users to create one-time-use credit card numbers. They let you generate a number that can be used for a single transaction. If that number is compromised, it doesn’t matter because its value would have been spent.
Those schemes haven’t been very popular because they’re cumbersome to use. Abine offers such a service that is easy to use, but it requires a subscription to the company’s premium service, and each transaction costs $2, which would be a deterrent to anybody planning an online shopping spree.
Not only will the new PIN-and-chip, or EMV, cards offer online shoppers no additional protection, but many real-world shoppers won’t get any addition protection either, since 70 percent of businesses aren’t EMV compliant.
“For every provider that doesn’t have one of the new credit card machines, they’re still reading track data the old way and they’re susceptible to being defrauded the old way,” said Alex Heid, chief resource officer with SecurityScorecard.
Clinging to old technology is a problem throughout the retail industry, SecurityScorecard noted in a report released last week.
Retailers continue to rely on legacy software systems and misconfigured Web applications to process transactions and store customer data, the report said.
For retail, legacy Web application technologies are in frequent use on large networks, with many still having checkout processes powered by ColdFusion, Classic ASP and PHP, it continued. Attackers know the vulnerabilities for these technologies well.
“One hundred percent of the Web applications that were examined from every retailer had some pretty serious issues,” Heid observed.
“The next big breach of retailers will probably come through their Web applications,” he said. “They’re buying appliances to try and mitigate that, but an obfuscated attack with enough time could worm its way through.”
TECHNEWSWORLD: ‘Tis the Season for Online Predators