Holiday Shopping: Don't Add Malware To Your Cart

Black Friday will be here soon to start the holiday shopping season. This is one of the busiest online shopping periods of the year. Specials are announced daily, many require immediate action, and all have short expiration dates. Black Friday and the holiday shopping season is subsequently the busiest period of the year for installing malware.

Ninety percent of all malware requires human interaction to be installed. That means a human needs to open an attachment, click on a link, or otherwise activate the installation. Cybercriminals use three popular techniques to trick people into downloading malware: (1) malvertising, (2) phishing, and (3) spear phishing. Cybercriminals take advantage of the online chaos of the holiday shopping season to launch more attacks and install malware on unsuspecting targets.

"Malvertising" is meant to look like a legitimate advertisement on a legitimate website. Malvertisements are designed to get the viewers attention and encourage a viewer to click. Cybercriminals use the same advertising techniques as legitimate companies to grab your attention. The difference is that once a user clicks on the ad, the malvertisement will download malware, distribute a virus, or send the user to an infected website to capture personal information or run some other malicious program.

In some cases, a cybercriminal will “scrape” a legitimate ad or company logo (i.e. copy the ad and paste it onto their website) in order to look exactly like a legitimate ad. The target’s personal information will be sent directly to the cybercriminal once the information is entered into the website. If the target clicks on a link they are directed to a website run by the cybercriminal.

"Phishing" involves sending an email to as many people as possible, hoping to lure a victim to click on a link. Phishing relies on sheer volume and the recipient’s carelessness. Successful phishing attacks increase during the holiday season simply due to the volume and overall rush of the holiday season.

"Spear phishing" targets a specific victim by personalizing an email to make it appear legitimate. As a result, a spear phishing attack requires some level of preparation to get to know the target. A sophisticated cybercriminal will take the time to carefully understand their target. Some gather information from social media, while others use information obtained from a prior victim.

The keys to a successful malvertising, phishing, or spear phishing attack are believability and timing. Attacks are launched at a time of urgency, hoping to take advantage of some chaos, which leads to a hurried decision or a failure to identify an attack. This is exactly the atmosphere of the holiday shopping period. During this time, consumers are bombarded with ads and email specials that offer great deals but require immediate action and expire quickly.

Malvertising is more successful during the holidays because most ads require the target to act in order to activate a deal. Consumers are required to sign up for notices, create an account, or follow a link. This activity does not raise suspicion because most shoppers, when they click on an ad, expect to be required to act or be redirected to another website. 

Spear phishing works best when the email looks as if it comes from a familiar source. A successful spear phishing attack is disguised as an email coming from a known source such as a person or a company where the target has previously shopped.  A target is far more likely to click on an email from a known source than an unknown source. For this reason, familiarity with a target’s background, such as family status, shopping history, and hobbies, is key.  A cybercriminal with this type of knowledge will help the cybercriminal craft a message that will grab the target’s attention and move them to act quickly. For example, a frequently used tactic is to craft a message advertising the sale of an item that the target recently viewed online. The offer must spark the target’s interest and grab their attention or the target will ignore the email or link.

Nothing can guarantee that you won't install malware this holiday season. However, some steps can be taken to help protect against installing malware.  The main thing is to slow down and remain vigilant.  A good first step is to update all of your system software and anti-virus software before shopping.  While you are shopping look out for:

·      ads that don't look like they were designed by a professional;

·      spelling errors;

·      promises or deals that are too good to be true;

·      ads that don't match your shopping habits or typical search history;

·      a website you frequently shop at that asks for information to establish an account.

If you see an ad for a great deal from a company, instead of clicking on the ad or a link in an email, go directly to the company website and look for the same special offer.   

 

(Sign up for our cyber security blog at the bottom of the page.)