Experts expect exploits abound on Cyber Monday
“Cyber Monday,” the digital equivalent of the brick-and-mortar world's “Black Friday,” is one of the busiest online shopping days of the year. It happens Monday, when most employees return to work for the first time since Thanksgiving.
But with the increased propensity to hit the internet for shopping deals comes an augmented security risk.“Employees doing holiday shopping online from work computers may inadvertently introduce malware into the network,” Randy Abrams, director of technical education at anti-virus vendor ESET, told SCMagazineUS.com on Tuesday.
Having a dedicated PC for employees to use for non-work related purposes can help mitigate some risk, Abrams said.
To prepare for the influx of online shoppers, cybercriminals are creating fake e-commerce sites, hoping to trick users into voluntarily divulging their credit card information, experts said. In addition, rogue anti-virus scams will be prevalent throughout the holiday season.
“We are already seeing a large number of Christmas-themed sites that are hacked or have been deliberately set up to lure people,” Roger Thompson, chief of research at security firm AVG, told SCMagazineUS.com on Tuesday.
Scammers also likely will "poison" search results so that their malicious sites appear near the top of search results for popular terms, Sean Sullivan, security adviser at anti-virus vendor F-Secure, told SCMagazineUS.com on Tuesday.
Consumers can expect to encounter malicious links near the top of search results when searching for products that are projected to be popular this holiday season, such as the video game "Call of Duty: Modern Warfare 2" or merchandise related to the Michael Jackson film This Is It, in addition to the Flip UltraHD Camcorder, Apple's iPod, Nintendo's Wii, or Playskool's Chuck My Talking Truck, Sullivan said.
“The reality is, today most of the threats we see are not viruses, and most of the cybercrime victims aren't victims of malicious computer programs,” Abrams said. “It's social engineering.”
Despite the security concerns, the vast majority of consumers will be shopping online this holiday season, according to a survey released Tuesday by security vendor Sunbelt Software.
MORE: The Better Business Bureau offers 10 tips for safe online shopping here.
In a polling of 650 consumers, 59 percent of consumers said they are concerned about using their credit card online. Despite the security risks, 90 percent said they plan to shop online this holiday season and more than 60 percent said they expect to do so more than they did last year.
Users should be cautious of unsolicited emails hawking sales and free offers, which could be scams that aim to steal credit card information, Abrams said. Before making a purchase online, users should ensure they are shopping at legitimate, reputable websites and be aware that cybercriminals will often post fake positive reviews of their websites in efforts to draw internet surfers there.
“If the deal sounds too good to be true, it's not true,” AVG's Thompson says.
When making a purchase, ensure the address in the web browser begins with "https," meaning sensitive information is being encrypted, before entering credit card data, Abrams said. Moreover, consider getting a credit card with a low spending limit to use exclusively when online shopping.
In addition to targeting consumers, cybercriminals can be counted on to to try to compromise e-commerce merchants this holiday season, Bob Russo, general manager of the PCI Security Standards Council, told SCMagazineUS.com on Tuesday.
As a basic precaution to help protect against network threats, online retailers should monitor network logs on a regular basis – especially during the holiday season, when fraud is expected to be up, experts said.
“Check the logs," Russo said. "If you detect things going on, you can limit breaches. 'Tis the season to be stealing."
The biggest danger for any merchant is storing data, Russo said. Data that doesn't need to be stored shouldn't be, he said. And, data that is being stored should be protected and rendered unreadable so if a cybercriminal gets it, they can't use it.