Shopping securely on Black Friday (and beyond).

Thanksgiving traditionally in the United States marks the beginning of the holiday season. And that, of course, also marks a season of buying and selling, and also of charitable giving. Since so much getting and spending and giving is now online, the security industry has some advice for all of us to keep in mind, from Black Friday this week through Cyber Monday and Giving Tuesday next week, and on into the New Year. Here’s a compendium of advice from the experts. 

A season, alas, of scams.

McAfee this week released the results of its first Global Holiday Shopping Scams Study, finding that “81% of US consumers see an uptick in cybercriminal activity during the holiday season, and 88% of people believe that the use of artificial intelligence (AI) by cybercriminals will have an impact on the amount and types of online scams during the holiday season.” The survey also found that “more than a third (36%) of US consumers have been the victim of an online scam during the holiday season and 75% of those reported losing money as a result. Close to half (49%) of online scam victims lost over $100, while 24% were tricked into handing over $1,000 or more.”

E-commerce web app security issues.

Research from CyCognito has found that 58% of e-commerce web apps collect personally identifiable information (PII), and 28% of these web apps lack a web application firewall (WAF). 2% (approximately 520,000) of e-commerce web apps have at least one critical security issue, and 76% of these security issues are easily exploitable. 2% of these web apps also lack HTTPS.

Black Friday spam (both marketing and scams).

Bitdefender says Black Friday-related spam began surging on November 10th, and has steadily increased over the course of the month. Nearly half (46%) of this spam delivered scams: “Some scam campaigns impersonated big names in retail including Amazon, Walmart, Target, Kohl’s and Lowe’s, while others lured shoppers with huge sales and promotions on luxury bags and accessories (Louis Vuitton, Ray Ban and Rolex) and smart gadgets.”

Fake retail sites spike.

Researchers at Netcraft observed a 135% increase in phony retail sites in October 2023 compared to October 2022: “These fake retail sites include copies of the spoofed site’s authentic logos, trademarks, and products to make the scam more convincing, but that’s not the only technique cybercriminals use. They also host fake retail sites on deceptive domains. This typically involves registering a domain name that is deceptively similar to another (usually well-known) organization. Once again, the aim is to trick users into believing they are interacting with a trustworthy website.”

Threats to look out for.

Researchers at Flashpoint outline six threats to be on the lookout for over the weekend:

1. “Refund Fraud: A significant portion of online sales leads to returned merchandise, with a notable fraction being fraudulent. The increasing trend of ‘Refund-as-a-Service,’ where threat actors facilitate fraudulent returns for a fee, presents a growing challenge. These actors offer various fraudulent refund packages, exploiting retailers’ return policies and customer service processes.
2. “Credit Card and Payment Card Fraud: The retail sector faces the persistent threat of card-not-present fraud. Cybercriminals acquire stolen card data through leaks or by targeting financial records from poorly secured websites. They use this data to fund illegitimate purchases or sell it to other fraudsters.
3. “CMS Access Exploitation: With the rise in online shopping, access to e-commerce content management systems (CMS) becomes a lucrative target. Threat actors exploit vulnerabilities in CMS and website plugins to steal customer information, including payment details. This is especially critical for platforms like Magento and WooCommerce, which have been commonly exploited for financial data skimming.
4. “Gift Card Fraud: The use of stolen credit cards to purchase high-value gift cards is a prevalent form of fraud. Cybercriminals often resell these fraudulently obtained gift cards at discounted prices on deep and dark web forums, making it a two-pronged threat that impacts both revenue and brand reputation.
5. “Social Engineering and Smishing: The holiday season sees a surge in phishing and smishing (SMS phishing) attacks. Cybercriminals masquerade as legitimate retail entities to trick consumers into revealing sensitive information. The rise of such attacks underscores the need for heightened vigilance and consumer awareness.
6. “Merchandise Shortages and Delays: Ongoing supply chain challenges may lead to merchandise shortages and delays, heightening customer frustration. This can result in increased confrontations and potentially violent altercations, necessitating robust physical security measures in retail environments.”

Recommendations for CISOs.

There’s a supply side to online security as well, and CISOs have a strong interest in minimizing the risk of fraud from their side as well. CybeReady recommends that CISOs implement the following actions to defend against cyber threats over the holidays:

• “In-Depth Cyber Risk Assessment: A comprehensive evaluation of digital environments is crucial. This includes checking e-commerce platforms for vulnerabilities like outdated software or unsecured data transfer channels.
• “Tailored Cybersecurity Plan for Black Friday: A specialized approach is necessary given the complex nature of cyber threats during this period. This involves collaboration between marketing and security teams for enhanced website security and authentic customer communication.
• “Comprehensive Automated Data Security and Compliance: Continuous monitoring through automated security tools is essential to detect and respond to threats in real-time. This includes AI-driven systems for unusual access pattern detection.
• “Regular Updates of Web Applications and Plugins: Keeping software updated is key to closing known vulnerabilities and preventing attacks.
• “Promotion of Safe Online Shopping Practices Among Employees: Educating staff about phishing risks and the importance of verifying the authenticity of websites and apps is vital.”

There are no panaceas, but there are useful precautions.

Steve Santamaria, CEO at Folio Photonics, suggests that those responsible for data security be alert during the holidays. They and their systems will be challenged, both directly and indirectly.

“As we step into the 2023 holiday shopping season, it’s a time filled with the promise of joy and cherished moments with family and friends,” Santamaria wrote. “However, for data management professionals across the globe, it also signifies a period of heightened vigilance and increased stress. The reason behind this heightened alertness is crystal clear – the holiday season ushers in a surge of cyber threats, ranging from phishing attacks to ransomware campaigns.” 

He recommends that organizations consider immutable archive solutions as a defense measure. “In response to these challenges, enterprise-scale, immutable active archive solutions have emerged as a critical defense mechanism. These solutions offer a robust suite of benefits that address our cybersecurity concerns. Immutability stands as a formidable defense against data tampering, ensuring data integrity. Robust encryption and comprehensive audit trails bolster security protocols, enabling organizations to surpass stringent compliance requirements. Automated data retention policies simplify information management, while scalability helps to ensure uninterrupted operations during peak holiday traffic. Moreover, sustainability practices align with environmental goals, and unwavering regulatory compliance remains the linchpin of data integrity.”

VPNs can also be useful, but they carry risk, too. Don Boxley, CEO and Co-Founder of DH2i, commented on how their risks might be managed. “Virtual private networks (VPNs) have historically been a staple in securing online communications, but their inherent vulnerabilities and rampant misuse have exposed business organizations and their customers to various risks,” he said. “For example, during peak shopping events like Black Friday and Cyber Monday, cybercriminals have exploited VPNs to manipulate prices, commit fraud, and gain unauthorized entry to areas such as payment systems. In addition, VPNs not only open the door but leave it wide open to network credentials, identity, and credit card theft.”

Boxley went on to explain a role for software-defined perimeters. “To address these challenges, security-focused organizations must deploy Software-Defined Perimeter (SDP) technology as a robust solution that effectively mitigates these risks. SDP adopts a ‘zero trust’ approach, ensuring that trust is not assumed for any user or device. It rigorously verifies user identities and security postures, reducing the risk of unauthorized access, even in the presence of VPNs.”

Beware of social engineering.

Social engineering, the confidence game transmuted for online attack, always increases during the holidays. Vandan Pathak, senior application security consultant at Optiv, observed, “Scammers are going to activate their plexus network of techniques to entice victims with fake promotions. Individuals are highly advised not to entertain any messages or calls they receive which offer them direct holiday discounts. In the past, we have seen individuals fall for these traps frequently and the number is going to increase during the holiday season.”

Seth Blank, CTO at Valimail, struck a mildly ironic note in emailed comments. “Tis the season - with Black Friday and Cyber Monday just around the corner, email marketers are already full steam into their holiday campaigns, and savvy consumers worldwide are preparing to pounce on the seasonal deals,” Blank wrote. “Unfortunately, these times of excitement and joy also open the door to a darker side of the season: fraud, phishing, and other malicious activity preying on that same holiday urgency. And while cybersecurity specialists are diligently working to thwart the efforts of the bad actors, this year is noticeably different.”

There’s been an industry change long in preparation. “Recent announcements from Google and Yahoo are causing the worlds of marketing and cybersecurity to collide as email authentication standards shift from recommended security best practices to non-negotiable email marketing requirements: unauthenticated messages will be rejected,” Blank explained. “In other words, SPF, DKIM, and DMARC authentication protocols are effectively moving from the SOC to the boardroom. It redefines the baseline for email marketing.”

And the smarter organizations aren’t waiting for the new ways to come into force, either. “While official enforcement will start in February, astute marketers are actively collaborating with their cybersecurity peers to update their security posture early. This prepares them for the looming February timeline and provides an avenue to increase trust with their customers and protect their brand's reputation this holiday season. Ultimately, in a landscape where every message counts, aligning with these standards will empower marketers to distinguish themselves, engage their audience effectively, and help ensure that this shopping season is a remarkable success.”