Thanksgiving, Black Friday, Cyber Monday, Christmas. There’s a lot of shopping to be done between now and the end of 2016. As throngs of discerning shoppers flock to the high street and online shopping carts are filled to the brim, cybercriminals are busy preparing their wares to take advantage of the high sales period. With this in mind, we decided to outline some of the biggest threats facing both retailers and consumers in the upcoming holiday season:
1. DDoS attacks – With the Mirai botnet demonstrating its ability to launch high-volume denial of service (DDoS) attacks, some might deem the busy sales period as an opportune moment to showcase their capability or cause widespread disruption by targeting retailers. Allied to this is the threat of DDoS extortion, as attackers may use the threat of disabling retail operations during the busiest period of the year as a means of earning a quick profit. Just this week the web hosting and building service Squarespace was affected by two DDoS attacks that affected a number of e-commerce sites. A user on the AlphaBay Dark Web marketplace claimed responsibility for the attacks and alleged they had tried to extort Squarespace for up to $2,000 USD, though this was not confirmed. The same user also advertised their DDoS services online, specifying their availability on Black Friday (see Figure 1 and Figure 2 below).
Figure 1: AlphaBay user offers DDoS botnet rental service
Figure 2: The same user specifies that they can conduct attacks on particular days – for example Black Friday (Nov 25)
2. Compromise of e-commerce sites – This issue has emerged as a problem in 2016 with thousands of ecommerce sites being infected with key-loggers designed to steal credit card data entered into online checkout forms. Many of the compromised websites ran the Magento shopping cart system, though other platforms such as Powerfront CMS and OpenCart, as well as payment processing systems such as Braintree and VeriSign were also purportedly targeted.
3. POS malware – Cybercriminals are likely to exploit the large number of transactions conducted during the next month by targeting point of sale devices (POS) such as card readers and payment terminals. When a new campaign for the POS malware known as FastPoS was discovered in September 2016, it became clear that the malware was still under active development. A similar pattern was detected in 2015, whereby new campaigns and upgrades appeared to occur in the months leading up to Christmas. It’s highly likely that the same will occur in 2016.
4. Skimming – In similar vein to POS malware, cybercriminals will likely seek to take advantage of the increased number of withdrawals made at ATMs this season. These card reading devices aren’t always easy to spot. In September, U.S authorities warned of a new technique known as ‘periscope skimming’ which involves the use of a specialized skimming device connected directly to the ATM’s internal circuit board. This technique was likely developed in response to anti-skimming measures, and criminals are almost certain to be developing new ways to avoid detection.
5. Phishing pages – Attackers will try and trick users through fake websites that at face value look incredibly similar to those belonging to legitimate retailers. These sites, however, often steal victims’ credentials when they try to make a purchase, or will be used as a landing page to download a particular strain of malware. We expect phishing email campaigns encouraging users to visit these sites to be particularly prevalent at this time of year.
6. Malvertising – Attackers can use online advertising as a means of distributing malware, luring victims with one-time offers and bargain prices. These will usually involve an attacker injecting malicious code into a legitimate advert which will either download malware directly onto a victim’s machine or redirect visitors to a website that facilitates the distribution of malware. Pop-ups, banners and promotional offers pushed through social media feeds can be used for these purposes. Sometimes attackers even create adverts that appear to point to legitimate sites by shortening or changing the URL displayed on the advert itself.
7. Banking malware – Banking trojans remain a threat all-year round, but research from Kaspersky has indicated that attacks using financial malware increased around the time of Black Friday and Cyber Monday, and the Christmas period in 2014 and 2015. One reason for this might be that as more people shop online during this time, attackers will try and distribute their malware via fake or compromised sites, or through phishing email campaigns. These can also be used to deliver additional malicious payloads. A recent Kronos banking trojan phishing campaign, for example, was discovered to be targeting victims in the UK and US. While Kronos infections are bad enough, Kronos was also downloading a new POS malware dubbed ScanPOS which was capable of stealing credit card numbers.