Security firms warn of uptick in holiday cyber crimes

Security firms are warning consumers about an uptick in holiday cyber threats, cautioning online shoppers to watch which sites and links they click on during the upcoming holiday season.

While cyber crime normally spikes during the holidays, particularly as more Americans choose to buy from online retailers, researchers from several prominent security firms are flagging new tactics that could come up this season.

This includes hackers using malicious code that can steal customers’ payment information as they make their purchases. 

ADVERTISEMENT

Kimberly Goody, the manager of cyber crime analysis at FireEye, said consumers should be wary of deals that appear in their inboxes.

This week, the security firm detected the malware threat known as Emotet, which has been seen downloading second-hand bank data — including in Thanksgiving-themed emails sent out on Monday.

“Cybercriminals are opportunists who are aware that the potential cost to an organization of not paying a ransom is higher during these days and we expect them to attempt to capitalize on this,” Goody said in an email to The Hill. “They will also exploit individuals’ desire to seek out sales and coupons over the holiday shopping season by crafting email lures advertising sales or masquerading as popular brands.”

She added that retailers should also be prepared to see attacks on their sites during the shopping season, particularly on heavy traffic days like Black Friday and Cyber Monday.

Threats, like distributed denial of service (DDOS) attacks, can send a stream of traffic to sites that are so overwhelming that it forces the sites to shut down, costing businesses sales on a day they’re likely counting on to make their profit goals.

Chris Duvall, senior director at The Chertoff Group, warned about a series of digital lures hackers may use, like the state-of-the-art mill email phishing attacks that employ social engineering to make an email with malware look like an innocent message from a colleague or friend.

A phishing email can lead to minor breaches of data, or it could have a major impact, as seen in the 2016 presidential election when John Podesta, the campaign manager for Democratic presidential nominee Hillary ClintonHillary Diane Rodham ClintonMemo Comey used to brief Trump on dossier released: report Trump will likely win reelection in 2020 Lanny Davis says Nixon had more respect for the Constitution than Trump MORE, and others were sent spear-phishing email that aimed to steal their email account’s login credentials. The hack, which ultimately led to the theft of thousands of emails, became a massive embarrassment for the campaign as internal deliberations spilled out into the public purview.

Duvall also reminded people about basic cyber hygiene practices for the every-day buyer.

Don’t buy products with too-good-to-be true prices without doing some research and verification beforehand, don’t buy from unknown retailer websites without checking to see if they are somewhat vetted and legitimate first, and don’t use fake shopping apps that can steal your credit card information, he said.

“Hundreds of fake retail apps designed to steal your credit card information are popping up in Apple’s App Store and Google Play. Make sure to download the legitimate version of retail apps by downloading it directly from a store’s website, or by thoroughly checking user reviews if downloading from an app store,” Duvall said in an email to The Hill.

Even cyber threats that exist yearlong can be amplified during the holiday shopping season, according to Jen Miller-Osborn, the deputy director of threat intelligence on Palo Alto Networks’ Unit 42 team.

Miller-Osborn said several credit card companies, including Citi, Capital One and Bank of America, now offer virtual credit card numbers that aim to help cut down on fraud. The virtual cards provide an account number that can be used one time for online purchases.

And if consumers aren’t able to obtain a virtual account number, they can also purchase gift cards that can be used for any purpose, like those sold by Visa and American Express, to try to stop cyber criminals from gaining access to their entire bank accounts.

“You're limiting the amount of money that could potentially be exposed, especially if you're really, really concerned about inputting your credit card information,” Miller-Osborn said in an interview with The Hill.

The bottom line, the experts emphasized, is to be vigilant and take precautions online.