With Black Friday, Cyber Monday and the busiest online shopping season heading into full swing, it’s a favourite time for cybercriminals hoping to cash in on the holiday hoopla.
“The amount of breaches and stolen identities went up drastically in October, November and December of last year,” said Alexander Rau, national information security strategist with Symantec Canada.
“There’s more online shopping going on. People are crazy about Black Friday (Nov. 28, the day after the American Thanksgiving) and Cyber Monday, people want to get the best deal in the fastest time.
“If there’s a lot of traffic, that’s where the attackers and the hackers go to try to steal information if they can.”
It’s not only about stealing credit card credentials — that aspect of online chicanery, while still prevalent, is only a small part of cybercrime.
On the consumer side, more important to criminals now is the ability to compile entire dossiers on their victims, so when the stolen credit card data is no longer usable they still have enough personal data to carry out sophisticated identity theft scams, which can include buying cars, taking out mortgages in their victims’ names and other fraud.
Companies are under increasing attacks for all manner of gain.
In the hectic shopping season, keeping transactions secure is only one part of the challenge. Distributed denial of service, or DDoS, attacks can take down websites by overloading them with bogus traffic.
While DDoS attacks are common in games such as Minecraft, in which competitors use them to gain an edge, or in business or for political protest, unscrupulous website operators can also use them to take a retail competitor offline during the busiest online shopping days of the year.
“A distributed denial of service attack basically means that someone, in that case the attacker, is flooding a service like a web server with just garbage traffic,” said Candid Wueest, a security researcher with Symantec Security Response and author of a recent report on the evolution of DDoS attacks.
“You can compare it in real life to heavy rain, and your flood drains can’t cope with all the water coming in. Now someone opens the floodgates and sends a lot of water toward you. So you’re going to be underwater and not responding to any requests, even the one from the shopper that you actually want to.”
Wueest said 2014 has seen an increase of 183 per cent of just one type of attack.
“They are getting stronger but sometimes also shorter,” he said. “We know sometimes to take down an online service, often it’s enough to take it down for a few minutes or a few hours, and then the word will spread and people will start shopping at a different location. It’s not uncommon that we see it during seasons like the Black Friday shopping weekend.”
In the lead up to Black Friday and Cyber Monday, Wueest said already some sites are being targeted by extortionists. In the digital world, protection money is demanded as the price of leaving a website online.
“What they’ll do is inform the companies, the online shops, previous to the weekend, they’ll tell them, ‘Look, you’re either going to pay us $800 … and if you don’t do it we’re going to take down your business for a few hours.’
“In the end, it’s a classical extortion, which you obviously shouldn’t respond to but it’s hard because in the online world, it can damage your brand and obviously your sales if you’re not available during the peak hours.”
Where is the computing power coming from to launch these attacks?
If your computer is infected with a virus, it could be what is referred to as a bot, assembled into a botnet army under the command and control of the attacker.
You don’t have to be a computer genius to launch an attack. Now for the price of a Starbucks eggnog latte you can get a website taken down for an hour.
“There are services which offer it for as little as $5 for one hour, meaning you pay $5 through any online currency like bitcoin or something else and they will make sure that your competitor, your enemy for online gaming, or maybe a newspaper that you didn’t like is taken off for one hour, one day or even one week,” Wueest said.
For consumers, there are other things to worry about besides whether or not their favourite online shopping site is available. Identity theft is becoming more and more sophisticated and data breaches — in which companies such as Target and many others have lost personal and financial information on their customers — can leave a ticking time bomb. Long after your credit card is cancelled and you’ve let the credit-monitoring service expire, the personal data about you could be assembled in new ways to make money.
“There’s a number of things that people can do to protect themselves from a lot of these different kinds of scams that are going to take place during the holidays. They do every year. This year nobody expects it to be any different” said Bob Hansmann, director of product security for Websense, a computer security company.
“Essentially you want to keep your eye out for deals that look too good to be true — they typically are. Any links inside an email or even some web pages — you’re going to want to be a little wary of it.
“Make sure your anti-virus software is up to date. If you’re using a Windows machine, make sure it’s patched. Make sure you’re following the normal be-careful kinds of maintenance things, and that can eliminate a lot of these kinds of risks.”