Top 10 Cyber Monday Threats
Ignoring Red Flags
As the holiday season ramps up, time-strapped users will inevitably be less discriminating about where they go to shop for the hottest holiday gifts. In fact, attackers are banking on the fact that holiday shoppers will be so rushed they will ignore obvious red flags -- like the absence of a padlock icon on a Web page -- in an effort to get affordable prices or a scarce holiday item.
Tip: First, look for that little padlock icon in the bottom right hand corner of the screen to verify the site is secure in order to send credit card and password information. Also, check to see if the site or URL is from an established merchant, or better yet, go directly to a trusted site -- even if it means you have to pay a little more or wait a little longer. Often attackers will change the URL of a familiar site with by altering or adding one letter (e.g. ebays.com) in hopes that potential victims won't notice.
Failing To Check Bank/Credit Card Statements
Of the many things that holiday shoppers have to do, scrutinizing financial statements might not be high on the list. With the multitude of added tasks piled on top of users during the holiday rush, many shoppers will gloss over credit card statements or ignore them altogether.
Don't. Rather than taking a big chunk all at once, cyber attackers will often siphon off money in little bits, hoping that a few missing dollars here and there will go unnoticed. Or they will make a "test purchase" to see if an account is legitimate, before going for the kill down the road.
Tip: Carefully scan bank and credit card statements every day and account for any unknown purchases and alert credit card companies and banks immediately to suspicious or unknown activity.
Now more than ever, attackers know that they can entice users via malicious links with offers of holiday sales and hot holiday gifts through social networking sites. In addition to e-mail and IM, attackers are spamming holiday offers with embedded links via social networking sites, such as Facebook, knowing that users are more likely to click on a link that they believe comes from a trusted source. And during the holidays social networking users will likely receive a barrage of messages from 'friends" inviting them to view pictures, receive special holiday offers or play games. In reality, cyber attackers often hijack users' passwords and social networking accounts so they can launch malicious attacks. And those users who click on an embedded link, stream a video or download a game will likely also download malware onto their systems designed to steal information or incorporate their computers in a malicious spam-spewing botnet.
Tip: Be wary of links contained in e-mail or social networking messages, even if you think they come from someone you know. And if it doesn't come from someone you know, delete them. Researchers at AVG advise users to apply an URL scanning tool to detect infected links or otherwise legitimate Web sites that may have become compromised.
Inadequate Antivirus
Many attacks could be prevented if users kept up-to-date antivirus/antispyware/antimalware. However, all too often this simple preventative technique takes a backseat to other holiday tasks. Subsequently, attackers that distribute malware will have the most success from users with inadequate security software or none at all.
Tip: Make sure that your security software stays current. Current antivirus/antispyware likely contains protections against the latest holiday threats, which means if users are updated, they are one step ahead of the attackers.
(Not So) Cute And Fuzzy E-Cards
One of the hallmarks of the holidays for users, so to speak, is that they tend to do things that they normally wouldn't otherwise do -- like blindly clicking on attachments. It may be tempting to click on that cute holiday e-card, even if you're not entirely sure about the sender. They're sweet. They're touching. However, many holiday greeting cards are scams that contain malware that installs information-stealing code or keyloggers onto your computer.
Other similar scams include holiday-themed videos, photos or other attachments, which also often appear to come from someone the user knows.
Tip: If you receive an e-card from a friend, take the time to contact them by some other means to confirm they indeed sent it. If the sender is someone you don't recognize, delete the message. And consider sharing photos through some legitimate photo sharing site, such as Flikr.
One Password, One Big Problem
In an effort to save time and reduce stress, shoppers often use the same password for multiple accounts--especially during the busy holiday season--when harried users are required to come up with creative passwords and usernames for sites such as Amazon or eBay. While it might be simpler to have a one-size-fits-all password for multiple accounts, it is also tantamount to an invitation for malicious attackers.
"What we're basically saying is that, 'I own lots of houses and have the same key for all of them. We would never do that in real life but we do it online all the time," said Andy Klein, product manager for SonicWall. Passwords and login credentials for non-financial accounts, such as Facebook, Twitter and e-mail, represent the key to obtaining address books for spam attacks. Meanwhile, hackers will have access to other accounts, such as bank and PayPal, accessed by the same login credentials.
Tip: Have a separate password for different accounts, and don't share them with anyone -- that includes e-mailing, IMing or tweeting them.
Searching In The Dark
What's the first thing users do when looking for the newest hottest toy or Nintendo game? Of course they turn to Google to refer them to the top Web sites. That might not be such a good idea, experts say. Attackers are staying one step ahead of the shoppers this season by utilizing search optimization tools to put their sites at the top of Google's rankings. Meanwhile, Google doesn't screen pages for malware, which means that even malicious sites can make it to the top of Google's search pages if they meet the right criteria. Consequently, search engine scams -- dangerous links impersonating legitimate search results -- will be more prevalent this season as more shoppers turn to the Internet for the bulk of their holiday shopping.
Researchers at F-Secure determined that some of the hottest search terms will also be hot targets for cyber criminals, including Michael Jackson's "This Is It" film, Call of Duty: Modern Warfare 2 video game, The Flip UltraHD Camcorder, Apple's iPod, Nintendo's Wii, and Playskool's Chuck My Talking Truck.
"When going shopping, you're better off searching for the stuff you want to buy from the merchants, instead of using just Google," said Mikko Hypponen, chief research officer for F-Secure.
Tip: Lay off Google for a while and go directly to the shopping sites for holiday gifts.
Drive-By Savings
The holidays are famous for making users do things they wouldn't normally do -- that includes visiting sites they wouldn't normally visit -- in an effort to find the best holiday deals. Some of the Web sites ask users to disable pop-up blockers. The result? A pop-up that offers users additional savings with one little caveat -- provide an e-mail address. While users could potentially find discounts and deals, they will almost inevitably be opening a floodgates for spam.
Tip: Legitimate Web sites don't need pop-ups. If a site prompts you to disable pop-up blocker, take heed and exit the site.
Package Delivery Notices
Among the many holiday scams out there, package delivery fraud and declined credit card payment top the list. This type of phishing attack takes the form of a friendly notice from a package delivery service, and includes a few lines that indicate to the user that the package was unable to be delivered, saying, "We tried to deliver your package, but were unable to reach you. Please click here to reschedule your delivery." Or "Open the attached document to see the problem." Users, especially those worried about packages arriving before the holidays, will be more inclined to click on embedded links, which almost inevitably will download malware onto their system.
"Security is something you'll gladly surrender if you're trying to get something shipped by a deadline," said SonicWall's Klein. "You'd give blood if you had to."
Tip: Ignore any e-mail notice that purports to come from a delivery service. Packages come with a tracking number. Instead of clicking on the link, go directly to the Web site of the delivery service and track down the package yourself.
Holiday Themed Videos
Attackers are notorious for using the holidays as a hook to entice users to download malware disguised as benign Christmas-themed videos. Many users will automatically accept the invitation and click on embedded links, especially if they appear to be from a friend. However, there's a good chance that the link to the "Santa Gets Stuck In A Chimney" video is really an attacker impersonating a contact with a hijacked Facebook account.
Tip: Double and triple check the source of the video to ensure that it comes from a legitimate movie site such a youtube.com, or hulu.com, while remembering that many malicious sites only change one letter of an established URL in hopes that the recipient fails to notice. (e.g. yuotube.com). If the link is sent from a familiar source, try to find the video directly from the Web site.
If the video comes from an unfamiliar source, or otherwise seems suspicious, play it safe and delete it.
related: 'Clean My PC' at http://harrold.org/cleanmypc
No comments:
Post a Comment
Please, avoid posting advertisements. Content comments are welcomed, including anonymous. Posts with profanity will not be published.