Now that we’ve officially entered the holiday season it’s time to be especially mindful of the ways that an attacker may use this to their advantage. In fact, recent Carbon Black data noted a 20.5% uptick in attempted cyberattacks during the holiday season.
If you’re looking to find the best possible deal for a gift, your best bet is to use well-established websites (amazon.com, for example) instead of simply searching across the web. Web threats may use black hat SEO (search engine optimization) strategies to send their malicious websites to the top of your search results. Basically, this involves things like keyword stuffing, invisible text, doorway pages, and adding unrelated keywords to the page content or page swapping (changing the webpage entirely after it has been ranked by search engines). These types of techniques are typically used by an attacker looking to get a quick financial gain, rather than a long term one… which perfectly fits into the month or two right around the busiest shopping time of the year!
Also, keep in mind that if you find a fantastic deal (after doing some of the aforementioned web searches), it is likely too good to be true. A great toaster for $10, sure, but an iPad… nope. You’re going to find some amazing discounts and half-off promos, but do you really want to trust a website that you just found while hunting around? If you’re at this point of decision, hold on for a few minutes and do some separate research on the site you’ve found – comments, reviews, anything.
If you’re big into doing your holiday shopping from a mobile or tablet device, you’re best bet is to simply use an app instead of a browser. Most legitimate websites will have an associated app that you can download and install. This should help reduce the chance for web threats and sets you up for a more secure transaction. Using the Amazon.com app can help avoid seeing sites like the following.
(Hint: it’s not actually Amazon.com!)
Many people like to donate, especially around the holidays, and this is a good thing… but the Grinches of the world also know this. They’ll send phishing e-mails out to large audiences claiming to be the Salvation Army or Red Cross, with a helpful link for you to go donate… to them. Or they might send an attachment with a helpful form to fill out, but that PDF may contain malware.
On the other hand, be sure to look out for organizations that say they are charities, but are purely scams looking to take your money.
Holiday-Themed E-cards & Attachments
You’ll most likely get an e-mail or two from a friend or relative regarding the holiday theme. Maybe they have a nice setup of Christmas lights on their house (a friend of mine just did this very thing) and they want to show you. But keep in mind a malicious individual would love to show you their holiday theme, too.
While most holiday-themed phishing appears to be for-profit, there can also be targeted attacks. Check out a specific example, noted by our Threat Analysis Unit, regarding a very specific FedEx phish received during a key holiday shipping timeframe:
Fake Invoices & Shipping Notices
You’re probably going to order a bunch of gifts this year online and this typically means you’ll have these items shipped to your home. Be on the lookout for all kinds of fake invoices for things you may or may not have ordered. They’ll typically come in as an attachment to an e-mail, and they will likely entice you to confirm some “last minute” details or perhaps say that whatever-you-ordered is out-of-stock. The whole idea here is to get you to come to them based on something that looks totally legitimate. The attachment may have malware contained in it or the e-mail itself may have a link that you must resist clicking on. In most cases the point is to gather some information, whether it is passwords or credit cards.
These invoices and shipping notices may come from the vendor that you are buying from or from the delivery service itself, like FedEx or UPS. The delivery service will usually have the tracking number for your package in text in the e-mail that is sent to you… so if you have an e-mail from “FedEx” and it contains only a link to “your tracking details”, it’s most likely not the real thing. Your best bet is to remember what you’ve ordered and which delivery service will be used (maybe you will want to ‘flag’ the original order in your inbox) and visit the website directly. All you should need is the delivery service and tracking number.
Check out some actual examples on FedEx’s website: http://www.fedex.com/us/security/prevent-fraud/email.html
(image captured from: http://www.fedex.com/us/security/prevent-fraud/email.html)
(Hint: don’t open the attachment!)
Fake Travel Notifications
Along similar lines to fake invoices and shipping notices are fake travel notifications. You may need to do some traveling around the holidays to visit family or friends, so pay close attention when you make your travel arrangements. Keep the original travel confirmation page and refer back to it if needed.
Free Star Wars Tickets
Now that we will be having new Star Wars movies every year for the foreseeable future (thanks, Disney!) and that they just happen to coincide with the holiday season, you can be sure that someone will try to lure you in to a “Free Star Wars Tickets!” e-mail, using similar tactics that have already been discussed – “just fill out the attached PDF form and return it to us” or “click here to visit our website and fill in the details”.
Fake and Insecure Shopping Sites
Much like the image of the fake Amazon.com we saw above, you can bet there are plenty of other websites just like it. Take a look at the following fake UGG website… it looks just like the real one!
And always remember to watch out for insecure shopping sites… especially when you’re ready to input your payment details:
(Actually, any website that you need to input any personal details should probably use “https:”… be mindful!)