Bad guys are poised to plunder online holiday shoppers.
On Black Friday, Cyber Monday and throughout the 2012 holiday shopping blitz, cybergangs are expected to unleash a variety of old and new Internet-based scams to steal identities and hijack online accounts.
"This is prime time for cybercriminals," says Brendan Ziolo, vice president at security firm Kindsight.
Crooks' incentive: Some 41 percent of consumers plan to use their PCs, tablets and smartphones to shop online, up from 37 percent last year, according to PriceGrabber.
That means millions of people will be using computers at home and work to shop for gifts. What's more, roughly half of them use Web browsers lacking the latest security patches, making them prime targets for computer infections that saturate the Web.
"Users of all major browsers are using outdated software containing known vulnerabilities," says Wolfgang Kandek, chief technical officer at patch management firm Qualys.
Qualys recently analyzed more than 1 million Internet-connected Microsoft Windows PCs and Macs. It found 56 percent of users of Microsoft's Internet Explorer surfed the Internet using an older version of the popular Web browser carrying widely known security flaws. Hackers are expert at tapping into such flaws to seed infections.
Some 49.2 percent of users of Mozilla's Firefox, 47.5 percent of Google's Chrome and 37.4 percent of Apple's Safari also used browser versions lacking the latest security updates. Using an outdated browser — and clicking on a Web page booby-trapped with a hidden virus — can turn control of your computer over to an intruder.
Last month, antivirus firm Avast identified more than 52,000 American Web domains containing at least one infected Web page; that was up from 50,000 infected domains in September and 46,000 in August. "Sometimes it could be several infected pages on each domain," says Avast researcher Milos Korenko. "Not only porn sites and other dodgy sites, many were perfectly legitimate websites."
Professional cybergangs in Russia and Eastern Europe are steering victims to these booby-trapped Web pages via:
- Social networking. Free Web mail services, Facebook, Twitter and Pinterest are littered with lures to click on tainted Web links. These come disguised as bogus coupons, gift cards, package-delivery notices and charity solicitations. "Social-media scams are spreading like wildfire," says Catalin Cosoi, chief researcher at antivirus firm Bitdefender.
Cybercriminals take full advantage of the lax attitude toward privacy fostered by social networks, says Mark Patton, manager of the security business unit at GFI Software. This time of year, tainted Web links proliferate on Facebook wall postings, get embedded in Tweets and show up associated with YouTube videos.
"You could easily foresee a scenario where a holiday-decorating tutorial on YouTube could play host to nasty embedded links," Patton says.
- Search queries. Search Engine Optimization, or SEO, refers to techniques used by media companies and advertisers to get their Web links ranked highly in response to specific search queries. Crime gangs have become expert at using SEO tactics to boost the rankings of "poisoned" search results directing victims to tainted Web pages.
Analysis of Web traffic from over 75 million users on home and corporate networks conducted by Blue Coat Security Labs found criminals are poisoning Google and Bing search results four times as often as sending out viral e-mail.
Criminals are certain to aim poisoned results at shopping-related queries. "By getting high rankings for pages that are actually infected, they increase the likelihood of leading victims to their infected pages," says Proofpoint security blogger Keith Crosley.
- Mobile devices. Online transactions conducted via iPhones have increased 11 percent so far in November compared with the same period a year ago; for Windows smartphones transactions are up 53 percent and for Android 7 percent, according to analysis of 40 million mobile devices by security firm ThreatMetrix.
Cybergangs have identified these new mobile device-enabled services as the source of valuable personal data, particularly logons to banking and shopping accounts, says Alisdair Faulkner, ThreatMetrix chief products officer. "The uptick in mobile usage has increased the risk of fraud," Faulkner says.
Android smartphone users should be especially wary of free apps and unsolicited text messages, says Bitdefender's Cosoi. One, called ZitMo, intercepts text messages and e-mails containing bank authentication tokens and is designed to help thieves gain control over online bank accounts, he says.
So what can online holiday shoppers do? Shop on reputable sites, use strong passwords and avoid using a debit card, says cybersecurity expert Bob Bunge, information sciences professor at DeVry University.
Using a debit card is unwise, he says, because it can give thieves direct access to your personal checking account. One other piece of advice: "Think before you click," Bunge cautions. "If it seems too good to be true, it probably is."