Black Friday and Cyber Monday: Hacks and Scams

BLACK FRIDAY & CYBER MONDAY Hacks & Scams security advice for web merchants, and advice for consumers GO WITH SITES YOU KNOW November 2010, the google search term "CYBER MONDAY DEALS" or if you're not familiar, ask someone you can trust or do some more research before you decide. saw a 400% increase in the number of search requests $199 4HalfPriceFreeDeals.webi iPad 2 on sale now! $175 wellknownsite3sf.site Hackers know this and prey on popular keyword searches like $499 newegg.com* $250 2good2be.tru "jewelry" and "toys". They create fake sites where they can steal your personal information and credit card numbers. Source: http://www.google.com/trends *shown for illustration purposes only, newegg.com is not selling the iPad 2 at that price Security experts discovered "polluted" results appearing in search engine results for holiday shopping-related terms in advance of 2010 Black Friday sales, the company said. SHOPPERS TRYING TO SAVE SOME MONEY BY SEARCHING FOR $LEAKED BLACK FRIDAY ADS ARE A PERFECT TARGET FOR SCAMMERS. These links take users to a malicious site that tricks users into downloading malware. - SonicWall UTM Research embedded JavaScript checks web browser Internet Explorer compromised search terms included Legitimate looking MALICIOUS LINK Fake virus / malware notification "Walmart Black Friday Sales 2010" "Black Friday" "Cyber Monday" Firefox SonicWall identified Fake flash player update INSTALLED a two-pronged attack, varying by the user's browser type. MALWARE "Best Buy Black Friday 2010 Deals" was used to push a fake antivirus software called "Internet Security Suite". SPYWARE Varying the malware attack based on the browser the user is using is a common tactic. The attacker is "maximizing the number of potential victims" by "customizing" the behavior to browser-specific vulnerabilities THE SCAMMERS ARE COMING THESE 4 WEEKS ARE ALSO THE BIGGEST SPAM EMAILS 80 PERCENT Are going to be coming in greater volume and more frequently. Spammers are getting more sophisticated in their approach and bypassing spam filters. WEEKS FOR THE OF ANNUAL ONLINE SALES SCAMMERS & SPAMMERS Occur in the 4 weeks AS WELL FREEBIES between black friday and the weekend May be freebies in the sense that you get free malware. - Jamz Yaneza ( Trend Micro) before Christmas. HOTTEST TOY THIS SEASON advertised in a spam e-mail blast for much less than the typical price. SECURITY FOR WEB MERCHANTS Victims end up entering credit card information on malicious sites designed to look like well-known, trusted ones. They might also unknowingly download a keylogger. UPDATE YOUR SYSTEM SOFTWARE If it's a LAMP server, upgrade your Linux kernel, make sure Apache and PHP are up to date, install an updated mod_security rule set, etc. ADVICE FOR CONSUMERS REMOVE ANY OLD SOFTWARE If you installed a forum to test out, or tried a different shopping cart and then forgot about it, make sure you remove those now. UPDATE YOUR SOFTWARE Security experts recommend making sure your operat- ing system, web browsers and security software are up to date and secure browsing is enabled. UPGRADE ANY FRONT END SOFTWARE For example your shopping cart software, blog or forum if you have one, etc. USE A PCI COMPLIANT CHECKOUT SYSTEM BROWSE ENCRYPTED IF POSSIBLE If your site accepts payments online, consider outsourcing your checkout process to a PCI compliant provider like Google Checkout or PayPal. CyberDefender suggests using encrypted search, such as Google SSL (https://www.google.com), instead of classic Google (http://www.google.com). SCAN YOUR WEB APPLICATIONS There are numerous free and paid web app scanners that report potential security vulnerabilities. "Look for the padlock icon or a URL that starts with https://" Lavasoft said. "That means your session is encrypted." If your not familiar with how to do the above, contact your hosting provider for assistance. USE CAUTION WITH PUBLIC WI-FI After you think everything is ready to go, SCAN AGAIN! DON'T eagerly use public wi-fi. Be aware that anything you do on public wi-fi networks can be seen by others. Another thing you can do as a merchant is help educate your customers on good security practices. FIREWALL & STRONG PASSWORDS This is something that can't be said enough. • Remind your customers that you do not send e-mails with attachments. Security experts note having a firewall and complex passwords can provide an extra level of protection against cybercrime. . You will never ask them for any personal or billing info via an email. UP TO DATE VIRUS SCANNER • Let your customers know you always send your promotional e-mail from the same e-mail address (example: [email protected]). With the increase in malware, its also important to have an up to date virus scanner. DON'T JUMP AT THAT DEAL Sources: http://www.cbsnews.com/stories/2010/11/29/earlyshow/living/parenting/main7098700.shtml http://www.eweek.com/c/a/Security/Hackers-Target-Black-Friday-Cyber-Monday-Search-Terms-347977/ http://pcicompliantnews.com/2010/11/cyber-monday-is-1-week-away-the-xmas-for-hackers/ http://www.pcworld.com/article/139807/hackers_poised_for_black_friday_assault.html http://www.foxnews.com/scitech/2009/11/30/shopping-cyber-monday-beware-scams-xmas/ http://pcicompliantnews.com/2010/11/cyber-monday-is-1-week-away-the-xmas-for-hackers/ http://www.allstate.com/safety-and-prevention-tips/take-precautions-during-cyber-Monday-online-shopping.aspx http://www.eweek.com/c/a/Security/Hackers-Target-Black-Friday-Cyber-Monday-Search-Terms-347977/ http://pcicompliantnews.com/2010/11/cyber-monday-is-1-week-away-the-xmas-for-hackers/ When you get an amazing offer via e-mail think twice before clicking. If a deal seems too good to be true - it probably is (example: you can't buy the iPad2 for $99 and get the second one for FREE). presented by VERACODE developed by: NOWSOURCING.COM