Industry Trends
By Aamir Lakhani – Cybersecurity Researcher for Fortinet’s FortiGuard Labs | November 24, 2022
The upcoming holiday shopping season is already expected to pose more challenges than the last. Shoppers are expected to descend upon e-commerce as many sought-after items could be in short supply. As a result, both consumers and retailers must be especially wary of opportunistic scammers who will offer too-good-to-miss deals in order to steal sensitive information and profit off their victims’ losses.
While many of us are readying our credit cards, you will also want to take some extra time to consider who might be able to access the data you’re handing over. Cybercriminals will be especially active this year, ready to launch an attack wherever they see an opening. From phishing scams to malicious applications, they’re waiting for unsuspecting shoppers to be lured into their traps—which means the best way to mitigate risk is by remaining vigilant. A world of Cybercrime-as-a-Service (CaaS) is growing at a fast pace, which means shop with care.
Shoppers Relying on E-Commerce This Holiday Season
In past years, many shoppers have switched to e-commerce as the method of obtaining the clothing, electronics, household items, toys, and other gifts they seek. And while we have seen a steady increase in online shopping over the years, this year’s holiday shopping could beat previous records.
Meanwhile, in the background, cybercriminals are simultaneously planning their attacks. And they’re expecting opportunities related to holiday shopping to be equally profitable.
Internet Safety: Considerations for Safe Online Shopping
This Cyber Monday, shoppers should prepare for both traditional online shopping risks as well as new timely e-commerce threats. We’ve outlined some of the most important ones below, along with some best practices to avoid falling victim to them:
3 Most Common Cyber Monday Threats
- Public WiFi: Shopping at home on a private network is one thing. However, you may want to think twice before making online purchases using a public WiFi connection from a coffee shop, mall, or grocery store. Cybercriminals more frequently hack these networks to intercept your data. They may even camp out in public areas, broadcasting a hotspot labeled “Free Public WiFi” that, when an unsuspecting visitor connects, can be used to capture all of the traffic moving between the device and an e-commerce site (or any website, really). Avoid public WiFi if possible unless you have a secure VPN connection, and wait until you are home to connect to a secure, trusted network.
- Fake E-Commerce Sites: Plenty of fake shopping sites emerge during the holidays, designed to lure consumers into providing credit card or personal information by offering impossible-to-beat deals or access to hard-to-find items that, in reality, don’t exist. If you’re visiting an e-commerce site for the first time, do some research to verify its legitimacy before making a purchase. Look up reviews across the internet, make sure the company has a physical address and phone number listed, and stay away from sites that require direct payments from your bank, wire transfers, or ask for gift cards as a form of payment.
- Credit Card Skimming Software: Credit card skimmers aren’t limited to physical retail stores—they can be found online, as well. Point-of-sale (POS) RAM scraping malware has become increasingly popular among cybercriminals in recent years. First, attackers must gain access to a point-of-sale system, such as a shopping cart application. They then infect the host with malware designed to scrape credit card data from the source. The transaction still goes through, but all of the credit card information is also collected. As a consumer, it’s not always easy to avoid credit card skimmers but the majority of large, reputable retailers now have measures in place (like a web application firewall) to prevent them.
Emerging Threats
- Web-Based Malware: Consumers should be mindful of suspicious websites or advertisements that direct them away from whichever trusted site they’re browsing or that lure them with enticing deals. In some cases, all it takes is a momentary visit to a malicious webpage to infect your device.
- IoT and Router Attacks: While not directly related to Cyber Monday, exploit attempts against consumer-grade routers and IoT devices continue. Many people are still working remotely this holiday season, and those who may be looking to upgrade their home offices or other at-home technology should take network security into consideration before making purchases. While hacking the data on your smart thermostat, for example, isn’t really the problem (threat actors aren’t really interested in how warm you keep the house in the winter), they could employ reconnaissance hacks to discover your passwords for your corporate WiFi network or your login credentials for automatic online purchases.
- Hijacked Online Services: We continue to see cyber criminals exploit streaming entertainment accounts. Oftentimes, account information is stolen and then listed for sale on Dark Web black market sites. If you’re gifting a streaming subscription to a family member or signing up to take advantage of a Cyber Monday promotion yourself, remember to monitor remote usage, such as notices about unfamiliar logins to your subscription service, and contact the provider if you notice any suspicious activity.
Promote Safe Online Shopping Habits
The best way to avoid falling victim to a Cyber Monday attack is to practice safe online shopping habits. Use common sense when browsing online and stick to trusted retailers for holiday deals and promotions. And when you make those purchases, keep in mind that credit cards offer built-in consumer fraud protection!
While the ability to purchase goods, send gifts, and connect to loved ones over digital networks is incredibly valuable, it’s important to understand that these conveniences are not free of risk. Rather than getting caught up in the rush and excitement of Cyber Monday shopping, take a moment this year to pause and revisit cybersecurity best practices and brush up on some free cybersecurity awareness training. And don’t forget to pass on your knowledge to your friends and family, as well. This way, we can all enjoy a safe and relaxing holiday season.
Find out more about how Fortinet’s Training Advancement Agenda (TAA) and Training Institute programs—including the NSE Certification program, Academic Partner program, and Education Outreach program—are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.