By Jon Munshaw.
This holiday shopping season, the basics of avoiding a malware infection boils down to: If it sounds too good to be true, it probably is.
While sometimes retailers do give out small-dollar gift cards, that $500 discount on a new iPhone is probably not real. If it is a scam, it will definitely not help you get your new iPhone 11 Pro Max.
With Black Friday and Cyber Monday, Talos researchers are hitting radio and television networks to alert customers of what to do to stay safe while shopping online. Common attack vectors this time of year include fake websites, coupons, invoices and more, all designed to get shoppers to click on malicious links that eventually lead to adversaries stealing login, banking or personal information.
Craig Williams, the director of Talos Outreach, appeared on the nationally syndicated radio show “This Morning with Gordon Deal” and discussed common attacks. One scam he discussed involves adversaries sending a fake check or gift card to a shopper, asking them to act as a “secret shopper.”
The adversaries have the shopper either verify the in-store money transfer service, like Western Union or MoneyGram, by sending some of the money the shopper received or by purchasing gift cards and sending pictures of them to the adversaries. At this point, the shopper is free to spend the rest of the money on themselves. Eventually, however, the bank realizes that the check is fake and the shopper is left with a massive hole in their bank account. The attackers pocket a nice present from the victim.
Sound overly complicated? Don’t worry, adversaries are still sticking to their bread-and-butter of malicious emails and ads as well.
“Simply viewing the [malicious] page is enough to compromise your machine,” Williams said on Deal’s show. “But opening an attachment is obviously very dangerous. Plus there’s fake invoices, fake coupons, links to sites to get a special deal.”
You can listen to the full show here. Williams’ segment starts around the 8:05 mark.
Another common technique adversaries use is typo-squatting websites for popular retailers. Appearing on KTVU-TV in California, Talos researcher Matt Valites used the example of Nike. If a shopper wanted to buy some shoes, they would usually go to Nike[.]com. But attackers may try to use strikingly similar URLs, such as Niek[.]com, to trick users into thinking they’re on the real site.
But when the shopper goes to enter their login information or credit card number to buy something, the attackers just steal their information.
“Instead of click on [these links], try going directly to the website instead and type in the URL of the website you’re trying to visit,” Valites said. You can view his full segment below.
Here are some other tips for avoiding holiday shopping scams:
- Only download apps from trusted and official app stores like the Google Play store and iOS App Store.
- Look out for apps that ask for suspicious permissions, such as access to your text messages, contacts, stored passwords and administrative features.
- Some malicious apps will try to masquerade as a legitimate version of the one you could be searching for. Signs of these apps include poor spelling and grammar in app descriptions and interfaces, lack of high-quality performance and a developer contact that uses a free email service (such as @gmail.com).
- Avoid clicking on unsolicited emails. Make sure you purposefully subscribed to any marketing emails you receive from retailers before opening it.
- Use an ad blocker locally on your browser. These will often block any malvertising campaigns that aim to capitalize on shoppers looking for deals.
- Try to use payment services such as Google Pay, Samsung Pay and Apple Pay. These services use tokenization instead of the “Primary Account Number” (your credit card number), making your transaction more secure.
- Use complex passwords that are unique, per site. Attackers commonly reuse passwords as a way to compromise multiple accounts with the same username. Use a password locker if you have a hard time creating and remembering secure passwords.
- Manually type in URLs to sites you want to visit rather than clicking on links.
- Use two-factor authentication to log into your email account to avoid unauthorized access.