Department store for fashion showing online threats during holiday shopping season
Online Threats Targeting Unprepared Retailers Ramp up Dramatically During the Holiday Shopping Season

Online Threats Targeting Unprepared Retailers Ramp up Dramatically During the Holiday Shopping Season

Cybersecurity surveys consistently show that the retail industry is one of the worst-prepared for cyber attacks, yet is also one of the most heavily targeted. The holiday shopping season is both the industry’s peak sales period and the timeframe in which it is most heavily preyed upon by cyber criminals. In addition to the ongoing Christmas shopping season, this period contains both Black Friday and Cyber Monday which collectively pull in about $14 billion in sales.

Early indications are that these annual online threats are going to be up dramatically from previous years, with some attack types more than doubling the numbers seen in 2018.

2019’s most popular holiday shopping scams

The usual cyber threats generally increase during the holiday shopping months, but sometimes have a festive twist. For example, the Cybersecurity and Infrastructure Security Agency (CISA) warns that targeted phishing attacks often come bundled in the form of an e-card that appears to be from a friend or family member.

Other types of online threats make unique appearances at this time of year, or see unusually heavy spikes. For example, fake charity scams are usually at their peak during the giving season. Scammers may create a bogus duplicate of a legitimate charity, hosted at a URL that looks plausibly legitimate.

They also create fake charities from the ground up, primarily targeting good Samaritans looking for an organization to donate to through Google search or social media platforms. Sometimes the online presence of the fake charity is supplemented by a follow-up call from a spoofed phone number that appears to be in the target’s local area.

CISA advises online shoppers to avoid charities that are soliciting donations in cash, by gift card or by wiring money. These are nearly always scam sites. Bogus copies of real charities can often be sniffed out by Googling the charity’s name and comparing the URL to the top results. A number of organizations also maintain lists of registered charities and known scammers; these include the FBI, Charity Watch, Charity Navigator and

Fake copies of retail store sites also tend to increase during the holiday shopping season. As with the fake charity sites, these bogus retail portals often register URLs that are similar to the actual store and also have valid TLS certificates that enable legitimate HTTPS transactions.

None of this is to diminish the more standard online threats to the retail industry, such as payment card skimming attacks, credential stuffing attacks and attempts on improperly secured databases; these are very likely to spike during the peak holiday shopping weeks as well.

The recent increase in online threats

According to a recent study conducted by cryptography firm Venafi, over 100,000 copycat sites employing valid TLS certificates have already appeared on the internet. These are overwhelmingly copying about 20 top retail sales in the United States, Europe and Australia. One unnamed leading retailer based in the United States has apparently had over 49,500 copycat sites spotted in the threat landscape in 2019.

With only about 20,000 valid online shopping domains, the number of copycat phishing sites exceeds the number of legitimate sites by over 400%. This number is also more than double the amount of bogus retail sites seen in 2018.

These holiday season online threats are bludgeoning a retail industry that has already been having a terrible 2019 in terms of cybersecurity. Keeper Security’s 2019 Global State of Cybersecurity in Small and Medium-Sized Businesses indicates that the damage is not limited to the world’s largest retailers. The study indicates that 61% of SMB respondents have already experienced a cyber attack in the previous year, but 50% still do not have a response plan for a data breach in place.

How to avoid having a blue Christmas

The Keeper Security study indicates that only about 33% of SMB retailers believe that they have a sufficient budget for proper IT security and only 9% believe they have sufficient personnel, but that only 7% are spending over 20% of their budget on security solutions. On average, SMBs spend only about 11.5% of their budget on combating online threats.

Mike Bittner, Associate Director of Digital Security and Operations at The Media Trust says,

“’Tis the season to be jolly and wary as bad actors ramp up their attack campaigns. Bad actors are looking to score money and data from consumers on the hunt for good deals and shopping online. Their methods are legion – from taking over payment pages, to siphoning payment information in transit, to phishing schemes via apps and digital wallets previously considered secure. Consumers should be wary of deals and go directly to sites they trust. Companies that want to protect their brand should continuously monitor all the code that execute on their sites and mobile apps to ensure none violate their digital policies. Chances are high that they only know a small fraction of the 50-95% code in their digital assets provided by third parties who have a great deal of largely unknown access to users’ information.”

Copycat websites are a type of scam that is beyond the control of an IT department, but companies can take proactive steps to detect and discover these fraudulent sites and prevent damage to their brand. It’s worth regularly scanning for fraudulent URLs registered using the company name anyway, as they may well be used in a targeted phishing attack or some other malicious activity.

The main thing to keep an eye on is the “zone files” provided by ICANN’s Centralized Zone Data Service; qualified IT personnel should know how to search these files for newly registered variations on the company name. If a fraudulent phishing site is found, it should be reported to the registrar and the FBI.

Individual consumers should always check both charity and retail site URLs carefully to ensure they are at the right location. If you don’t already have the site bookmarked, the legitimate URL should be high on the first page of a Google search of the company name. It’s also best to avoid clicking through links to these sites in emails as much as possible, instead firing up the browser and directly visiting the site.

Holiday greetings should also be approached with some amount of caution, especially if an e-card arrives from out of the blue. While it might be a forgotten acquaintance attempting to spread holiday cheer on the cheap, hackers will sometimes send these cards out to everyone on the contacts list of a compromised email account. Attackers might also have obtained information about your family from a data breach and be impersonating someone using a newly registered email account.

All of these online threats are especially acute on mobile devices. It’s tougher to verify the legitimacy of websites while on a phone, and consumers are more likely to make impulse holiday shopping decisions or enter login credentials without taking proper precautions while out and about.

Robert Capps, VP of Market Innovation for NuData Security (a Mastercard company), leaves us with some thoughts on mobile online threats during the holiday shopping season that are of value to both online retailers and consumers:

“Consumers should be especially careful on their mobile phones as more purchases will take place on mobile than on desktop, making the pocket device more attractive to attack. With mobile screens smaller and people more in a hurry to catch the latest sale, cybercriminals work to introduce typosquatting, magecart type attacks, phishing attacks and more all to snag the holiday shopper. Researchers at NuData Security found in September, out of all logins, 48% were fraudulent. However, for e-commerce organizations, there should not have to be a trade-off between security and mobile usage, and mobile transactions shouldn’t need to increase friction to catch bad guys. Higher accuracy and fewer false positives are possible with existing technologies: passive biometrics and behavioral analytics are some of them.”