‘Tis the Season—for a Phishing Frenzy

This year’s online holiday shopping season was kicked off to tremendous fanfare, as deal hunters went crazy last week with record-breaking spending. According to USA Today, holiday sales on Cyber Monday topped $7.9 billion in just the US alone. Meanwhile, mega retailer Amazon reported that Cyber Monday was the single biggest global shopping day in its company history—people ordered more than 18 million toys from Amazon on Cyber Monday and Black Friday combined.

This is just the start of the season, with plenty more online spending on the horizon in the next month. And retailers aren’t the only ones expecting to rake in the money due to all of that online activity.

Cybercriminals and fraudsters are also handily profiting from so much online holiday shopping.

Security experts believe the bad guys will continue minting money through the extremely busy phishing and cyber fraud season that uncoincidentally heats up at the very same time people are logging on to buy gifts for grandma.

“The holidays are not just a time of good cheer, but also of spikes in cybercrime as bad actors go into overdrive. Knowing consumers will be on the hunt for deals and doing their shopping online, bad actors are finding ways to steal payment information,” says Mike Bittner, digital security and operations manager at The Media Trust. “Their methods are legion—from taking over payment pages, to siphoning payment information in transit, to phishing schemes via apps and digital wallets previously considered secure.”

According to threat intelligence experts and security researchers, this holiday season in particular is shaping up to be a doozy of a fraud season as well. Some reports show that phishing and cybercriminal activity is tracking to increase by 60% this holiday season.

Meantime, threat detection firm CiberInt examines dark web activity, and its researchers say that dark web chatter online saw a 200% increase in refund-fraud related activity, a 150% increase in talk about compromised accounts and a 90% jump in fraudster discussions about  eGift cards. 

The firm said that the bad guys had their own brand of Black Friday and Cyber Monday sales, as they bumped up the number of malicious domains and tools offered to criminals hoping to target legitimate shoppers looking for gifts.

More specifically, some security researchers are already fine-tuning their prognostications for massive phishing and fraud campaigns expected in the coming weeks. Security analysts with the Threat Resistance Unit (TRU) at Armor released a report last week that warned security practitioners of a massive malicious phishing campaign that they expect to launch this week and last most of next month which will spoof a major ecommerce retailer and/or package delivery organization with very authentic looking order notification emails meant to entice clicks to a malicious link.

“Computer users need to be especially vigilant during the holidays because the threat actors are intent on stealing as much credit card, banking and personal identifiable information as they can get their hands (on),” says Corey Milligan, senior security researcher with TRU.

Milligan’s team also warned security teams to be on particular lookout for Magecart online card skimming attacks. They report that at least six separate threat groups have been using tactics, techniques and procedures that target shopping cart functionality in content management systems to steal credit card info and that this will be the attack ‘du jour’ this holiday season.

The increase in phishing and fraud during the holidays is a natural consequence of the crooks recognizing that their targets of opportunity multiply due to the sheer volume of shopping activity out there. But probably even more crucial is that they know people are less guarded when they’re seeking out holiday gift deals.

A new survey out from DomainTools last week reported that 62% of shoppers are willing to go with a brand that’s suffered a breach if they can snag a cheap gift on Cyber Monday.

“This year’s respondents were clear that they are willing to overlook previous breaches in lieu of a Cyber Monday deal,” said Corin Imai, senior security advisor at DomainTools.

In all, the study showed that 7 in 10 shoppers seek out Cyber Monday bargains. Even though 90% of those surveyed said they’re aware that the bad guys spoof online retailer domains and emails, 54% admitted they’d fallen victim to these attacks. Almost four in ten shoppers say they still don’t check a promotional email’s address to be sure that it’s really coming from the brand it represents.

“If the deal seems too good to be true, it probably is and, given how sophisticated cyber scammer’s methods have evolved, it’s probably also a ruse for you to part with your credit card information,” Bittner warns consumers, explaining that shoppers have got to be more wary of deals and go directly to the domains of brands they trust if they don’t want to be taken in.

Meantime, retailers must ruggedize their systems and processes to account for the criminal onslaught that’s already on their doorsteps. For example, TRU analysts warn that retailers who want to avoid Magecart attacks should be simplifying their payment pages and dumping as much third-party code as possible, as well as instituting steps like employing content security policy headers.

Bittner agrees that retailers must be proactive for what is shaping up to be a phishing and fraud frenzy.

“Companies that want to protect their brand should continuously monitor all the code that executes on their sites and mobile apps to ensure none violate their digital policies,” he says. “Chances are high that they only know a small fraction of the 50 percent to 95 percent of code in their digital assets provided by third parties.”