Phishing attacks spike in the holiday season, warns US-CERT

US-CERT has issued a warning as cybercriminals target the holiday shopping frenzy.
22 November 2018

Fake Amazon forms are a common method used to compromise payment information. Source: Shutterstock

As enterprise technology has got more and more advanced, so too have the cybersecurity methods employed by the businesses using them. It’s less of a choice than a necessity; companies today live or die by their ability to protect not only their own data, but their customers’ as well.  

That said, no amount of protection will make a business completely watertight, and with some 90 percent of attacks on enterprise networks spear-phishing attacks— whereby specific individuals are targeted with emails containing malicious links or requests— the biggest chink in a business’s cybersecurity is invariably the human element.

As Black Friday marks the curtain officially opening on the holiday shopping frenzy this Friday, cybercriminals are set on exploiting consumers’ craze for a seasonal bargain.

In fact, the lure of duping unsuspecting shoppers is such that the United States Computer Emergency Readiness Team (US-CERT) this week issued a warning which should serve as a stark reminder as to the ease in which your company’s security can be compromised.

As the holidays approach, the Cybersecurity and Infrastructure Security Agency (CISA) reminds users to be aware of seasonal scams and malware campaigns,” reads the statement.

“Users should be cautious of unsolicited emails that contain malicious links or attachments with malware, advertisements infected with malware, and requests for donations from fraudulent charitable organizations, which could result in security breaches, identity theft, or financial loss.”

In order to avoid the risk of any such phishing attacks, NCCIC recommends users take caution when browsing the internet, shopping online, and using email.

Chiefly, the advice is not to click links or attachments in unsolicited emails. However, the guidance also cautions of fraudulent social media pleas, calls, texts and websites.

As reported by industry press, the seasonal cyber attack spike was observed by cloud security company Zscaler which, far from it just beginning, reported a “steady rise in phishing attacks leading up to Black Friday and Cyber Monday”.

Between October and November, Zscaler recorded almost 1.3 million events, which included 723,942 targeted phishing campaigns and half a million generic spam attacks.

One of the key methods employed by cybercriminals targeting seasonal shoppers is directing users to fake Amazon login and billing pages, with the purpose of compromising Amazon accounts and stealing payment card information.

While these pages can appear more or less identical to the real thing, the only tell is the URL lacking the Amazon domain and the lack of a HTTPS secure connection indicator, which will be flagged by certain browsers.   

Not all the threats are so obvious, however. Web-skimming attacks target financial details as a user is entering them into the payment form of a web store. In these cases, hackers compromise a legitimate website, or the payment page provider itself.

The bad news, however, is that there are limited defenses users can take against the attacks; the onus, instead, is on retailers ensuring safeguards and the security of any third-parties they’re working with.

The safest option, of course, is ensuring your staff aren’t doing their holiday shopping in the office at all, which, let’s be honest, is easier said than done. Instead, perhaps cybersecurity education is the most effective defense.