|The Websense guide to a safe Ho Ho Holiday
Carl Leonard, Senior Security Research Manager, Websense Security Labs
The words 'Christmas' and 'Shopping' go hand in hand and last year UK consumers spent £4.67 billion shopping on the Web in December alone with £102 million being spent online on Christmas Day itself.*
This year a recession weary population is hungry for bargains and many of them will once again grab the chance to beat the crowds and shop online. eBay is predicting 85% of consumers will maintain or increase their online shopping this Christmas and studies show that 93% of consumers plan to buy a gift online this Christmas.*
The last statistic in particular is of interest to cyber criminals as it gives some insight into the potential number of opportunities they have in which to steal information or cheat you out of your money. With many consumers using corporate networks to access the Internet in the run up to Christmas, Websense has released a guide for businesses and consumers alike on how to avoid getting more than you bargained for this festive season.
*sources: Interactive Media in Retail Group and eBay.
Top Tips to avoid getting more than you bargained for this Christmas
#1 The 'Bargain' Store Scam
How it works: One of the major attractions about purchasing things online is that there are often bargains to be had. While looking for a good deal we may be tempted by low prices and forget to look at who we're purchasing from. Cyber criminals are all too aware of this and create fake online shops to harvest credit card details and use them for their own gain. Products are often offered at much lower prices than on the high street, however no parcel will be sent. Your credit card may be charged anyway and the card details sold on the black market.
Tempting as some offers can be, unfortunately the old adage is often true, if they sound too good to be true they probably are.
Tip for consumers: If you are shopping on an unfamiliar site then check that there is a landline phone number and postal address for you to contact the retailer if there's a problem. Check the payment connection is secure by looking for the padlock symbol and ensuring there is an https in the address bar (the 's' stands for secure). Only give your payment card details over a secure connection, and never by email. Remember that EU Law protects you against fraudulent use of your payment card in EU transactions: credit cards give you extra protection.
Tip for businesses: The lines between work and play have blurred, and a happy employee is seen as a key to success. Many people can make good use of their time by Christmas shopping during their lunch hour, and using their work address to make parcel deliveries easier. Not having to battle with the lunch time or weekend rush makes for a less stressed and more productive workforce.
Companies don't need to limit the amount of access employees have to the Web - they need to deal with the threats more effectively. By setting realistic Web usage policies your staff will be encouraged to shop safely online during lunch break or out of office hours. Security solutions which categorize new sites and dynamic content in real-time, and proactively discover security risks are designed to enable safe and productive use of the Internet.
# 2 The Fancy Dress Disguise
How it works: In the run-up to Christmas many people will send e-cards to friends and associates or a link to an amusing video clip. Unfortunately these can sometimes contain hidden malicious extras, or the email may be a phishing scam in fancy dress. Embedded beneath the jolly Father Christmas images can hide malicious URLs containing links to malware or exploit code. This technique is continually evolving to increase the success rate with new attacks becoming more sophisticated in terms of the imagery and lures utilized.
Tip for consumers: We all enjoy visiting popular video Web sites to view the latest joke or program clip. These user generated sites by their very nature are constantly being updated, which makes it difficult for traditional malware protection to keep you safe. Installing real-time analysis software can help to mitigate this risk, but you should always maintain a healthy suspicion of video content.
If you receive an e-greeting from 'a friend', 'a colleague' or 'a family member' look carefully at the originating email address, and see if the email is personalized to you - people who actually know you tend to know your name! Perhaps double check with the 'sender' that they really did send you the email. If the email links to a URL, look at the address to see where they are re-directing you to BEFORE you click the link. Does the address look different to where the card claims to be from? If any doubt exists about the origin of the mail you should delete it immediately.
Tip for businesses: Blended threats (spam emails with embedded URLs) are on the increase and on average 85.6% of all unwanted emails contain links to spam sites and/or malicious Web sites. A security solution that integrates Web security and email security should be able to identify links in an email and trace them back to malicious sites or content. Based on this accurate identification, solutions should be able to act in real-time to block the email and any other attempts to access that Web site, view content, or transmit data to that destination.
#3 The Drive-by
How it works: This is one of the most dangerous types of attacks as no user interaction is required for infection to happen. Simply browsing an infected Christmas-themed Web site or news site could allow code to be executed that exploits vulnerabilities in software installed on that machine. Malicious applications could be secretly installed while you're browsing for a Go Go pet hamster or playing an amusing Penguin racing game.
Tip for consumers: Many of the most basic scams rely on already identified vulnerabilities in user's software, browsers or third party plug-in. Where users don't download patches and updates they leave themselves open to attacks from cyber criminals who aim to either take control of the machine or steal data. Where available you should always download the most recent updates and patches to protect from these kinds of attacks.
Tip for businesses: It is no longer just porn or gambling sites that host malcode, its news, travel and shopping sites too. In fact 77% of Web sites with malicious code are actually legitimate sites that have been compromised.
Reputation based monitoring is no longer an effective method of protection. Your security solution should be able to understand Web sites, Web content, applications and malware beyond reputation alone, considering usage and Internet context for a real-time risk assessment. Only with this level of understanding can threats be blocked accurately and in real-time. Even if a well known and trusted site with a good reputation were compromised, the threat would be prevented.
#4 Unwanted gifts from Anti
How it works: Social engineering is the name given to the art of tricking a user into performing an action. Rogue Anti-Virus software is an example of a social engineering technique seen a lot by Websense Security Labs. When browsing you might see a pop-up explaining your computer may be infected and offering to perform a free Anti-Virus scan. Don't be fooled, there is no scan, instead they will simply claim to have found a virus on your machine. You're not really infected, but this may encourage you to download or even pay for their (fake) Anti-Virus Software, which is actually malicious software. Now the hackers have your credit card details and control of your computer.
Tip for consumers: Search engine results are often 'poisoned' to lead to malicious software disguised as anti-virus software. When you search for popular Christmas-related terms, search engine optimization (SEO) poisoning pushes infected URLs to the top of the search results, to increase the likelihood of you clicking through to the rogue AV Web site. Exercise caution when downloading software or accessing Web sites, keep your guard up. The best guard you have against this attack - your grey matter. If you realise you may have fallen for a scam contact the appropriate authorities.
Tip for businesses: Look for a secure Web gateway solution that provides advanced analytics - including rules, signatures, heuristics and application behaviors - to detect and block proxy avoidance, hacking sites, adult content, botnets, keyloggers, phishing attacks, spyware and many other types of unsafe content. Independent testing confirms that the Websense Web Security Gateway leads the secure Web gateway market and exceeds analyst criteria for malware protection, data loss prevention, Web 2.0 threat detection, accuracy and effectiveness.
# 5 The Christmas Jigsaw puzzle
It's a bit like sending a jigsaw one piece at a time. It's not until all the pieces are collected and put together that the whole nasty picture becomes clear. By this time - the bad guy is already in and can now go on to disable your anti-virus and take over the computer.