The end of November means the beginning of the holiday shopping season, and this year, a number of security firms are projecting a rise in cyber threats. Not only does Black Friday bring out major deals and early risers, but it is also a time for increased online shopping risks targeting people with decreased suspicion.
It is more likely to get an attack on your PC now while searching current topics like Black Friday than it would be searching for adult content.
senior manager for security researchWebsense Inc.
Todd Feinman, CEO of New York-based Identity Finder LLC, a company that helps users prevent data leakage, said cybercriminals anticipate the increase in online shopping during the holiday season.
"So many people try to avoid the big shopping lines on Black Friday," Feinman said. "They'll just purchase everything online and when they get back to work on Monday they'll see this huge influx of deals."
Those deals could lead users to malicious webpages that serve up malware or attempt to phish login credentials and other personal data. Enterprises that fail to educate their end users are most at risk, said Feinman.
Feinman and other experts advise computer-savvy consumers to be alert while shopping online. Patrik Runald, senior manager for security research at San Diego, Calif.-based Websense Inc., said SEO poisoning, when cybercriminals get malicious links to appear in search results, could pose a major threat to online shoppers. According to the Websense Labs 2010 Threat Report, 22.4% of searches for all trending search topics or current events lead to malicious websites -- and Black Friday deals will be a trending topic, Runald said.
"It is more likely to get an attack on your PC now while searching current topics like Black Friday than it would be searching for adult content," Runald said. "The bad guys are trying to manipulate search results for the topics people are searching for. Then you are brought to a site that could compromise your computer and install a Trojan to steal login credentials."
After credentials are stolen, hackers will try those username and password combinations with other online institutions. Identity Finder's Feinman said it's imperative to use unique and complex username/password combinations.
"People should use and create unique usernames and passwords for sites that aren't necessarily trusted by them," Feinman said. "A lot of times what hackers are trying to do is harvest usernames and passwords to try in banking institutions, PayPal, and other institutions online."
According to the Websense Threat Report, the number of malicious websites has increased by 111.4% between 2009 and 2010. Threats on social networking sites are also becoming more prominent as well. Websense researchers found that 40% of all statuses on social networking sites have a link in them, and 10% of those links are malicious. With more people joining Facebook and Twitter daily, Black Friday deals, both real and fake, are sure to hit the social networking sites hard, Runald said.
Third-party advertisements also pose a potential threat to users of social networks. Bradley Anstis, vice president of technology strategy for Orange, Calif.-based M86 Security Inc., said social networking sites are gaining more malicious ads daily.
"Email is losing its dominance in the means of business communication and the same holds true in the cybercrime area as well," Anstis said.
Anstis also warns against deals that seem too good to be true. For example, an ad that promotes a pair of designer boots or anexpensive piece of clothing for $20, may lead victims to a phishing site or other malicious webpage. Anstis said the amount of cybercrime nearly doubles during the holiday season.
"If it's too good to be true then it probably is," Anstis said. "We're seeing quite a few different sites giving away iPads and things like that. There are so many specials around, so we certainly see that users have a lower level of suspicion. At this time they get so excited about the sales and all these deals, and they just kind of assume that it really is a legitimate deal when a lot of times it's not."
In the workplace, Runald advises lunch break shoppers to use the same caution as shopping at home. Go directly to legitimate company websites when shopping for a specific product, but still use caution, even legitimate websites can be compromised, he said
"Eighty percent of all malicious websites we find, and we find between 1-2 million every month, are actually compromised legitimate websites," Runald said. "So it could be your favorite shopping site that is compromised, and when you go there you actually get something bad on your PC. Once the company's PC is infected, it could install some sort of bot that creates a backdoor into the computer, and then into the company. It then works through that computer to launch further attacks internally, to look for information on the internal network."