Researchers: More Online Shopping This Season Brings More Chances of Hacks

By Nora Macaluso

More people than ever are shopping online this holiday season — 33% more than last year, according to Adobe Analytics — and that points to more opportunities for hackers.

Security experts told Digital Privacy News that the top privacy threats they were seeing involved spoofing and phishing attacks from sites purporting to be those of major retailers.

Shoppers need to be more vigilant than ever about making sure they’re not clicking on bad links and about monitoring credit-card statements for fake charges, they said.

“This holiday season is different from any other because of the pandemic,” Mieke Eoyang, senior vice president for the national security program at Third Way, a Washington think tank that focuses on security, told Digital Privacy News.

“Since many Americans have been working from home since March, the digital-threat landscape has changed a lot — and the attackers have been working on that throughout the year.” 

Magecart Hack Attacks

RiskIQ, a San Francisco-based security firm that monitors threats, said in an annual threat report released Friday that it had detected a breach from the Magecart hacking group, primarily targeting credit-card data, every 16 minutes.

Magecart is software used by a wide range of groups for injecting malicious code into ecommerce sites to steal payment details. Magecart skimmers use the codes to identify and steal manually entered credit-card information.

“Since many Americans have been working from home since March, the digital-threat landscape has changed a lot.”

Mieke Eoyang, Third Way think tank, Washington.

In August, a Magecart payment-card skimmer was used to hack nearly 2,000 ecommerce sites in a weekend attack. It was the largest known Magecart campaign at the time — and credit-card information and other data were stolen from tens of thousands of customers, according to news reports.

The average length of a Magecart breach is 22 days, according to RiskIQ researchers.

“Magecart and their ability to compromise the many vulnerable ecommerce shops this holiday season to skim unwitting consumers’ credit-card information is the biggest threat to privacy that we can see this holiday season,” Steve Ginty, RiskIQ’s director of threat intelligence, told Digital Privacy News.

The company recommended that shoppers use secure platforms like PayPal, or cards already saved to a retail platform or app, instead of typing details into a site.

“This year’s bad holiday actors will capitalize by using the brand names of leading etailers, as well as the poor security habits of consumers,” RiskIQ CEO Lou Manousos said in a statement with the report. “They’ll fool shoppers looking for shopping deals, sales and coupons by creating fake mobile apps and landing pages.”

‘Holiday Shopping Microsite’

RiskIQ set up a “Holiday Shopping Microsite” that listed new domains and included such holiday terms as “Black Friday.” It was designed to “serve as an authoritative source of intelligence that security practitioners can use to block and investigate holiday shopping scams as they increase on an unprecedented scale,” the report said.

Some 466 apps that RiskIQ researchers found by searching “Black Friday,” Cyber Monday,” “Boxing Day” or “Christmas” turned out to be malicious, the report found.

“This year’s bad holiday actors will capitalize by using the brand names of leading etailers, as well as the poor security habits of consumers.”

Lou Manousos, RiskIQ CEO.

The 10 most-trafficked sites on Thanksgiving weekend had a total of 1,654 blacklisted apps, the firm said.

Also, among the report’s findings: The 10 sites most trafficked on Thanksgiving weekend had a combined total of 1,654 blacklisted apps that contained their branded terms in the title or description, totaling 82.7 per brand.

RiskIQ also said that, in five of the 10 most-trafficked sites in the U.S and U.K, researchers found 18,891 blacklisted URLs containing their branded terms, or 945 unsafe URLs per brand.

Less Security at Home

Office workers may be accustomed to ordering Christmas gifts from their work computers — but this year, they’ll be buying without the added security of an IT department protecting their networks, Third Way’s Eoyang said.

In an office, “your systems administrator might be in a better position to notice weird things happening,” but they “may not have that visibility” when a home network is involved, she told Digital Privacy News.

Email is another thing to watch, especially at this busy time of year, said Jeremy Kennelly, manager of a financial crime analysis team at Mandiant Threat Intelligence in Milpitas, Calif.

“If you’re buying gifts for a lot of people, you’re going to be receiving a lot of emails,” Kennelly said.

Knowing that retailers routinely bombard shoppers with emails “can lull people into a false sense of security about the legitimacy of the email they’re receiving,” he said. 

“If you’re buying gifts for a lot of people, you’re going to be receiving a lot of emails.”

Jeremy Kennelly, Mandiant Threat Intelligence, Milpitas, Calif.

“Over the holiday season, it may become more challenging distinguishing expected email from unexpected email and unknowingly ending up on a phishing website and putting your credentials in,” Kennelly told Digital Privacy News.

“It’s important that people just continue to think critically about how they’re interacting with email — especially now, over this season — as the volume of legitimate email increases significantly.”

Firms Also Must Stay Vigilant

Businesses need to watch out as well, particularly smaller ones that don’t have the robust security systems of a large etailer, said Jim Mottola, vice president of data privacy, investigations and security at Porzio Compliance Services in Morristown, N.J. 

Hackers have taken to hiding in etailers’ shopping carts, taking customers’ information before they realize it, Mottola told Digital Privacy News.

“It’s almost like a watering hole” full of consumer information, he said.

“Businesses need to make sure any online payment system they’re using is one that is trusted — and there’s some visibility on it.”

In addition, the higher volume of shipping this year makes it important for companies to have “transparency” throughout the supply chain, Mottola said.

‘A Lot of Activity’

“There’s just a lot of activity — and having transparency and being able to manage this is going to be harder this year,” he said. “A lot more of it’s moved online than last year.”

“Businesses need to make sure any online payment system they’re using is one that is trusted.” 

Jim Mottola, Porzio Compliance Services, Morristown, N.J.

Spoof text messages are another potential threat, Mottola observed. A text might look like it’s a delivery update from Amazon, for example, but it really may be a way to harvest credentials through a fake hyperlink, he said.

“Maybe you don’t go on to your phone” to check those, Mottola told Digital Privacy News. “Maybe you go onto your computer and log in with your own credentials.”

“It’s going to be a different kind of year,” he said.

Nora Macaluso is a writer based in Philadelphia.

Tips for Consumers

RiskIQ offers this advice to ecommerce consumers this holiday shopping season:

  • Check website addresses, especially those from links on social media channels.
  • Don’t enter credit-card information if you don’t have to.
  • Keep an eye on credit-card activity.
  • Download apps from official app stores.
  • Be wary of suspicious permissions, such as access to contacts, text messages or stored passwords.
  • Know who the app developer is and be wary of reviews.

— Nora Macaluso


RiskIQ report: 2020 Black Friday Ecommerce Blacklist Report

Threatpost: Magecart Attack Impacts More Than 10K Online Shoppers