Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response

Cyber Monday Shoppers and Retailers Beware of Scams and Attacks

Created: 26 Nov 2013 09:10:44 GMT • Updated: 23 Jan 2014 18:02:47 GMT • Translations available: 日本語
Laura O'Brien's picture
+2 2 Votes
Login to vote
Contributor: Vivek Krishnamurthi
cyber_monday_graphic.png
 
December 2, 2013 marks Cyber Monday, the day when Internet retailers expect to experience a major surge in traffic thanks to people shopping online for the holiday season. The concept of Cyber Monday, or Mega Monday as it’s known in Europe, was introduced back in 2005. It takes place after the Thanksgiving holiday weekend, when people return to the office and buy Christmas presents from their work computers, according to retailers. Some dismissed Cyber Monday as marketing hype but over time, the day has grown in significance, thanks to competitive deals on offer from many major retailers. In 2012, the 500 biggest retailers in the US took more than US$206.8 million on Cyber Monday while in Europe, approximately €565 million was spent on this day. This year, experts believe that Cyber Monday sales will grow by 13.1 percent as consumers increasingly move from buying presents in bricks-and-mortar stores to shopping online.
 
However, considering the hype surrounding Cyber Monday and the expected traffic on ecommerce sites on this date, there could be a chance that attackers will take advantage of the day to target both consumers and retailers. According to a recent study from RSA Security and the Ponemon Institute, 64 percent of retail-focused IT professionals have seen an increase in attacks and fraud attempts during high traffic days such as Cyber Monday. But just one third of these IT professionals take special precautions to ensure high availability and integrity of websites on these days. Worse still, the estimated direct cost of a cyberattack around the holiday season is believed to be US$8,000 a minute. 
 
Attacks against retailers
There are several ways that attackers could target retailers and consumers during Cyber Monday. Identity theft is one possible threat and it has plagued many stores and customers in recent years. The increased traffic on Cyber Monday could entice attackers to target vulnerabilities in retailers’ infrastructure in order to plant malware that could steal consumers’ information. Our recent research found that 53 percent of the websites scanned by Symantec contained unpatched and potentially exploitable vulnerabilities
 
Another possible threat to businesses on Cyber Monday could be distributed denial-of-service (DDoS) attacks. Many retailers have already experienced the effects of such attacks. In 2012, among the UK firms that were hit with DDoS attacks, 43 percent were in the retail sector. Cyber Monday could prove to be an attractive date for attackers targeting retailers with DDoS attacks. Attackers have been known to undertake DDoS attacks on dates of significance, as they are aware that their efforts will get noticed if they attack on high traffic days such as Cyber Monday. Attackers could also use DDoS attacks to distract Web administrators from other malicious activities that they could be carrying out elsewhere. DDoS attacks have been occurring more frequently, as there has been a reported 54 percent increase in attacks in the second quarter of the year. 
 
End users
Of course, retailers aren’t the only ones who should protect themselves this Cyber Monday. Consumers should also make sure that they shop safely online. This year, analysts expect that more consumers than ever will be searching for deals through their mobile device. Marketing research firm eMarketer believes that mobile commerce will generate US$41.68 billion of the total US$262.3 billion in ecommerce sales for the year, representing a 68.2 percent increase in mobile commerce sales from 2012. However, the recent 2013 Norton report showed that while 38 percent of smartphone users experienced mobile cybercrime in the past 12 months, almost half of mobile device owners didn’t implement basic protections such as passwords, security software or data backups. Even though some consumers may opt to shop on their mobile device rather than their computer, they could still be vulnerable to the threat of cybercrime.
 
Scammers will still be relying on more well established techniques to target both businesses and consumers this Cyber Monday. Symantec has found a recent spam campaign that tells the email’s recipient that they need to prepare for Cyber Monday if they want to make money from it. The email also includes two links claiming to offer advice on how to take advantage of the day. These links redirect users to a spam Web page that includes a video to trick users into thinking the page is genuine.
 
CyberMonday_edit2.png
Figure. Spam email claiming that the message’s recipient can make money from Cyber Monday
 
Stay protected
Consumers and retailers should heed the following advice to stay safe this Cyber Monday.
 
  • Web administrators should ensure that any potential infrastructure vulnerabilities are plugged before Cyber Monday in order to prevent attackers from taking advantage of these flaws. They should also monitor network traffic for any suspicious activity.
  • Retailers should ensure that their employees are trained to understand the risks associated with social engineering attacks that are designed to breach their companies’ systems, which could affect consumers. Similarly, other companies should also train their staff to be aware of phishing scams around this day, in case employees decide to shop online from their work computers. 
  • Consumers should use the latest version of their Internet browsers to shop online and should ensure that their software, including antivirus software, is up-to-date. Symantec offers consumers the latest Norton solutions for both computers and mobile devices.
  • Customers should only purchase goods through reputable online retailers and should check if the website that they’re shopping on is secured through Secure Sockets Layer (SSL). They can tell if the site is secured in this way if the URL includes “https” rather than just “http”. Consumers should avoid inputting financial information on sites without this protection.
  • Users should always avoid clicking on links in unsolicited emails, especially if they offer deals that seem too good to be true. They should always check legitimate retailers’ official websites to see what deals are on offer. Users should also never send sensitive financial information through email.
  • Consumers should monitor their bank or credit card activity over the holiday season and report any suspicious purchases or unauthorized money transfers.