Application security, Threat Management, Incident Response, Malware, Network Security, Patch/Configuration Management, Phishing, TDR, Vulnerability Management

Online shopping season promises convenience…and cybercrooks

Monday marks the unofficial start to the online holiday shopping season, and while experts are predicting record-breaking internet sales this year, security researchers are warning that criminals will be prowling cyberspace more than ever before.

Security firms said shoppers should be on the lookout for a variety of threats, including well-crafted phishing emails and other online scams, insecure websites and companies that do not properly disclose their privacy policies.

"It's just a recipe for disaster," Derek Manky, security research engineer at Fortinet, told today. "You have more and more volume. A lot of end-users are joining and not a lot of them are savvy. Meanwhile, the cybercriminals are getting better at targeting these fresh bait."

Online retailers are pulling out all the stops to attract shoppers this year. On so-called Cyber Monday, the day in which workers return to their desks following the extended Thanksgiving holiday, many internet merchants are offering promotions and sales. Their hope is that shoppers will continue to purchase gifts online throughout the season.

This year, some 54.5 percent of office workers with internet access, or 68.5 million people, are expected to shop online – a jump from 50.7 percent last year, according to a BIGresearch survey conducted for, a retail association.

But with this increasing customer base, holiday fraudsters also will be drawn to the web, experts said.

Manky said he expects the gang behind the Storm Worm to be out in full force on Monday – and throughout the holiday season – to launch attacks that either try to infect users with malware or seek to expand the Storm botnet.

"They're getting to be masters at the social engineering practice," he said. "This is something to be definitely concerned about this year. They have a wide audience, as far as zombie PCs go, to launch any attack they wish."

Laura Yecies, general manager of Check Point Software Technologies' consumer division, told that aside from the traditional holiday scams, users should brace for an uptick in well-trafficked websites hosting malware.

"You may have a legitimate site, but it's serving ads and typically the ad server is nothing they can control," Yecies said, adding that these malicious ads could permit drive-by downloads of trojans that do not require any user interaction to install.

Sophos recommends consumers only buy from reputed merchants and never follow links from unsolicited email. Users should also ensure they are using computers whose patches and security solutions are updated and enabled.

In addition, shoppers should read the site's privacy policy to learn how the company protects their personal information, security firms said.

During the holiday season, businesses should make it a weekly priority to remind their users about the risks of the internet, Manky said.

"A corporation can have so many lines of defenses, but when it comes to social engineering, all it takes is one person to visit a compromised site and give away sensitive information," he said.

Online retailers, meanwhile, should be using encryption technology and monitoring their event logs for suspicious activity, according to Sophos.

Mary Landesman, senior security researcher at ScanSafe, said many websites – even the most trusted – are susceptible to exploits, such as cross-site scripting and SQL injection, due to their dynamic makeup.

"Shopping sites rely heavily on AJAX and other Web 2.0 technologies, which offer a more interactive shopping experience," she said. "The downside is that these technologies are more vulnerable."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.